When a file is downloaded from the Internet, macOS places it in “quarantine” by assigning it the com.apple.quarantine extended attribute. This ensures that the user is alerted of the potential security risks before the file is executed.
Cavallarin said he found a way to bypass the file quarantine feature by exploiting DOM-based cross-site scripting (XSS) vulnerabilities in an HTML file named rhtmlPlayer.html, which is stored in the /System/Library/CoreServices folder of the OS.
According to the researcher, this file contains two DOM-based XSS vulnerabilities that can be exploited by hackers via Uniform Resource Identifier (URI) components.
One way to exploit the flaw is to use .webloc files, which allow users to save website addresses to the local system. On macOS, these types of files are automatically opened with the Safari web browser.
The vulnerability is said to affect macOS 10.12, 10.11, 10.10 and likely prior versions of the operating system. The issue was reported to Apple via Beyond Security’s SecuriTeam Secure Disclosure (SSD) program and it was addressed without any mention in macOS High Sierra 10.13, which Apple released earlier this week.
Beyond Security told SecurityWeek that it informed Apple of the flaw on July 27. The company said the tech giant did not respond to its questions regarding the issue in the past two weeks.
SecurityWeek has reached out to Apple for clarifications and will update this article if the company responds.
This is not the only macOS vulnerability disclosed in recent days. Earlier this month, researcher Patrick Wardle demonstrated how unsigned apps can steal data from the Keychain password management system, and how attackers can bypass the Secure Kernel Extension Loading (SKEL) security feature.
Related: Apple Patches Hundreds of Vulnerabilities Across Product Lines