The Dropbox red team accidentally discovered a zero day in Apple software. While one of the company’s teams was investigating how its software responds to cyber-attacks, it discovered a number of zero-day vulnerabilities.
The Offensive Security red team – a group of specialists tasked with attacking the system to detect vulnerabilities – discovered a number of vulnerabilities within the Apple Safari browser. In a blog Chris Evans, security boss of Dropbox, describes how it went.
Simulate attack
The red team simulated a cyber attack with the help of the company Syndis to find out if Dropbox was easy to hack. At the same time, the team watched how quickly the attack was discovered and what was the exact reaction of the team dealing with data leaks. In this way, all processes within Dropbox could be subjected to a test.
The plan was to find new ways to break into Dropbox. But even if no ways were found, we would still simulate the effects of a leak by placing malware ourselves (of course, we would do this very discreetly and make sure that the detection and response team wouldn’t notice it), writes Evans.
But while the team was preparing to simulate a data leak, they found out that it wasn’t necessary at all. Syndis discovered an exploitative series of zero days in Apple’s software. The bugs, which affected all macOS versions before 10.13.4, allowed attackers to execute code on the victim’s system, simply by visiting a malware domain.
The vulnerabilities
The vulnerabilities affected all Safari users. The first bug, CVE-2017-13890, allowed attackers to abuse Safari to automatically download and install disk images. CVE-2018-4176 then uses the disk to launch an app without the user’s permission.
Finally, CVE-2018-4175, which allowed new file formats to be registered, and apps that were considered safe, have been launched. This allowed the researchers to execute malware and ensure that Dropbox could be cracked. The researchers informed Apple of this on 19 February 2018, after which a fix was released on 29 March.
This news article was automatically translated from Dutch to give Techzine.eu a head start. All news articles after September 1, 2019 are written in native English and NOT translated. All our background stories are written in native English as well. For more information read our launch article.