
Remote Mac Exploitation via Custom URL Schemes - mef
https://objective-see.com/blog/blog_0x38.html
======
netgusto
To sum it up:

* MacOS automatically registers an application as the default handler for any custom URL schemes it declares, as soon as the app is downloaded (this happens automatically when the app hits the hard drive)

* Such custom URL schemes linked to malicious app may be opened via javascript automatically on a webpage, leading to the app execution by the system

* The system asks for permission to launch the app the first time. The name of the app as displayed in the permission box is app-controlled, so it can spoof its identity or use a cute name with emojis to make it less suspicious (as per the article)

~~~
jsjohnst
> The system asks for permission to launch the app the first time.

Small point, but one I think is important, is you’ll be asked not once, but
twice for confirmation. The first confirmation is for the custom url scheme,
the second confirmation is for file quarantine for the newly downloaded app.

While I think the default of “opening safe files” is utterly bat shit stupid,
Apple has done a fair amount here to block this “attack” vector otherwise.
It’s asinine to me this “attack” would work on a security minded user as the
article indicates the presenter said, but I guess the adage that “everyone
makes mistakes sometimes” explains it.

~~~
s-y-n-syn-a-c-k
from the article, "In its default configuration, Gatekeeper allows signed
applications. The malware used by the WINDSHIFT APT group was signed (as is
most Mac malware these days). So Gatekeeper doesn't even come into play!"

So as long as the app is signed, there are no secondary prompts from
gatekeeper

~~~
jsjohnst
Sorry to burst your bubble, but all executable downloads get quarantine
dialog. If the binary wasn’t signed, then it wouldn’t be a dialog with a
“proceed” equivalent option, it would be a full stop (unless you turned off
the requirement).

~~~
s-y-n-syn-a-c-k
There is no bubble to burst.

What you said is untrue in High Sierra and maybe other versions. Go out and
download a signed executable. If I download and execute a signed package from
the Internet, I receive no warning. If that package installs a URL scheme
helper, I always receive "would you like to run xxxxxx" from Safari.

The article even says gatekeeper does not come into play with signed apps. So
you are refuting the article's accuracy?

[https://support.apple.com/en-us/HT202491](https://support.apple.com/en-
us/HT202491)

~~~
jsjohnst
Quarantine != Gatekeeper. They are two different things, stop conflating them.
_Even with a signed app, you’ll get the quarantine dialog_. See this Apple
Support page for confirmation and to see an example:

[https://support.apple.com/en-us/HT201940](https://support.apple.com/en-
us/HT201940)

------
tinus_hn
This is a serious issue in Mac OS X but I don’t see how it ties in with the
‘use Google Chrome if you want to be secure’ spiel. Don’t open untrusted
archives if you want to be secure would be better, if impractical, advice.

~~~
jwandborg
It might be that Google Chrome does not automatically unpack zip archives.

------
dep_b
Great research, it's important that macOS security gets some attention as
people are lulled too much into a false sense of security nowadays. Also check
out the tools on his site. They're great. Always running BlockBlock, this
helps a lot.

------
z3t4
somewhat related i got a wierd bug on my web page that some links open a new
tab and navigates to a seemingly random page from the browser history. but
there doesnt seem to be anywhere to report the bug and it has existed for over
a year.

~~~
blacksmith_tb
I doubt that's related, but allow me to suggest creating a new browser profile
like this for Firefox [1] or this for Chrome[2]. If that doesn't fix the
problem, a quick search for 'report bug Firefox Chrome' will allow you file a
bug report. Or were using Safari? My solution for that would be to switch to
Firefox...

1: [https://support.mozilla.org/en-US/kb/profile-manager-
create-...](https://support.mozilla.org/en-US/kb/profile-manager-create-and-
remove-firefox-profiles)

2:
[https://support.google.com/chrome/answer/2364824?co=GENIE.Pl...](https://support.google.com/chrome/answer/2364824?co=GENIE.Platform%3DDesktop&hl=en)

~~~
z3t4
its Safari. and i do tell people to use firefox instead, but not everyone is
ok with that solution.

------
auslander
> And if you're a Mac user concerned about security, use Google Chrome

and surrender your privacy to Google, have no functioning private browsing
etc. makes me to rethink about objective-see tools.

------
whywhywhywhy
> If the Mac user is using Safari, the achieve will be automatically unzipped,
> as Apple thinks it's wise to automatically open "safe" files. This fact is
> paramount

This hasn't been true for a long time, the automatically open 'safe' files
option has been turned off by default for years now.

Though the option should be removed all together really.

~~~
netgusto
Not true from my experience. Just checked in Safari on an up-to-date system
(High-Sierra, patches applied) and the option is On by default in Safari
preferences (I never changed this setting).

~~~
cjcampbell
I can verify as well. I’m in the process of setting up a new Mac and had to
turn this off yesterday.

