News

Safari RCE Vulnerability; hackers can remotely execute code in your Apple devices

Cases of vulnerability exploitation in Apple developments are really scarce, although reports on the finding of these flaws have become very common. One of the most recent reports was submitted by the Cisco Talos vulnerability testing team, which notified the company about the finding of a security flaw in Safari browser.

The report refers to a vulnerability in the
Fonts feature in some versions of the Safari browser. By using a specially
crafted HTML web page, a threat actor can generate a type confusion problem,
resulting in memory corruption and potential remote code execution (RCE).

The vulnerability, tracked as CVE-2020-2868, received an 8.8/10 score
on the Common Vulnerability Scoring System (CVSS) scale, making it a
moderate-high risk security flaw. Along with the report, Cisco Talos sent a
proof of concept of the exploit.

The target application must process the HTML
web page to trigger the vulnerability or, in other words, the attacker must
trick the victim into visiting the malicious website and concrete the attack.
The following versions of Safari were subjected to vulnerability analysis:

  • Safari
    version 13.0.3 (15608.3.10.1.4)    
  • Safari
    Technology Preview Release 96 (Safari 13.1, WebKit 15609.1.9.7)

After submitting the report to Apple, the Cisco
Talos vulnerability testing team issued a series of recommendations to update the
affected systems and completely mitigate the risk of exploitation. Users of
these deployments are advised to install security patches (already available)
as soon as possible. In case updates don’t install automatically, users can
look for them in Apple official platforms.

Security risks for Apple product users have
increased significantly over the last few months. Recently, the International
Institute of Cyber Security (IICS) reported the detection of a malicious
campaign targeting macOS
users to infect them with some variant of the malware family known as Shlayer.
The hackers tried to trick the victims into clicking on links to websites
loaded with the malware and thus complete the infection.

You Might Also Like