Until recently, Apple's TextEdit program, which was built into macOS as the default text editor, had a very serious bug. This bug had the potential to reveal your IP address, directory contents, and could even be used to execute JavaScript to completely take over your Mac when combined with other exploits.
The good news is that this flaw was patched by Apple in macOS 10.15 Catalina released in October 2019, an important reminder to update Macs using older versions of MacOS.
Why is this important now? Because it highlights a problem that people may not consider when opening text files: because of the way TextEdit handles text files, it is possible to create malicious text files.
In a recent blog post about this bug, cataloged as CVE-2019-8761, security researcher Paulos Ibero pointed out that Apple's Gatekeeper does not flag suspicious files, even if they are downloaded from the web He pointed out that it does not.
He explained that this is because most anti-virus and security products treat text files as harmless. Text files are inert strings with no hidden attributes and are not supposed to be executed as programs. [But TextEdit is not just a text editor. It can also open rich text format files (TextEdit's preferred format), Word documents, and HTML files (the basic building blocks of the Web).
So Yibelo wondered what would happen if he applied HTML encoding to a text file and opened it in TextEdit.
To his surprise, simply opening a text file containing HTML in TextEdit was enough to perform basic HTML and CSS functions and call local resources, but not to access online services.
From there, however, Yibelo discovered that he could send drive mount requests to servers on the Internet by calling a function named AutoFS that would send mount requests for external drives.
Doing so reveals your Mac's IP address to the owner of the domain called. And that gives them a pretty good idea of where you are; the Mac user has no way of knowing that something is going on behind the scenes on an open TextEdit window.
Yibelo discovered that it is possible to craft a text file to list the contents of directories on the user's Mac, including the password directory. While harmless on its own, Yibelo says it is possible to exploit the HTML format to allow the text file to send those details to a remote server.
Yibelo told Vice Motherboard that if the TextEdit exploit is chained with another exploit, the two exploits together could do more damage to Mac security. [For example, combining his flaw with CVE-2017-2361, a flaw in the way Safari opens local Help files, would allow text files to execute JavaScript and thus do anything.
"And I think that's basically game over." Yibelo told Vice Motherboard.
That Safari flaw was patched by Apple in early 2017, but similar exploits may still be possible.
You probably haven't heard of this bug since Yibelo privately disclosed it to Apple in 2019. macOS 10.15 Catalina release and simultaneous security to 10.14 Mojave and 10.13 High Sierra updates, were quietly patched by Apple.
Apple investigates every claim before releasing or confirming information about the claim. As can be seen from Apple's post-release security update, it does indeed contain a reference to this vulnerability. (Search the page for "Yibelo.")
While the likelihood that you are currently affected by this flaw is very low, it is worth keeping in mind when dealing with seemingly innocuous files online.
If you have a Mac with a pre-Catalina version of MacOS, it would be worthwhile to update or, if you cannot use a newer version of MacOS, make sure another patch is applied.
It is worth remembering that older versions of MacOS are particularly common in companies that rely on older software that is incompatible with newer versions of the OS. Therefore, diligent employees should continue to pay attention to random text files sent via email.
.
Comments