Apple appears to have silently patched a vulnerability in macOS that would have allowed attackers to bypass the operating system's built-in file quarantine system and execute malicious JavaScript code.

The issue was discovered by Italian security researcher Filippo Cavallarin, of security firm Segment, who used Beyond Security's SSD (SecuriTeam Secure Disclosure) program to report the flaw to Apple in a secure and responsible manner.

Beyond Security says its experts forwarded Cavallarin's finding to Apple on July 27, this year. Yesterday, the SSD team said that after an inspection of macOS High Sierra (10.13), Apple appears to have patched the issue, but without including any mention in this month's security update.

Exploit leverages local Apple HTML file to run malicious code

Seeing that Apple seems to have resolved the bug, Cavallarin published details about the vulnerability on his blog, yesterday. In short, this is how the researcher describes the flaw:

Basically, Apple's Quarantine works by setting an extended attribute to downloaded files (and also to files extracted from downloaded archive/image) that tells the system to open/execute those files in a restricted environment. For example, a quarantined HTML file won't be able to load local resources.



The vulnerability is in one HTML file [rhtmlPlayer.html], part of the Mac OS X core, that is prone to a DOM Based XSS allowing the execution of arbitrary JavaScript commands in its (unrestricted) context.

The exploit chain that Cavallarin devised involves creating a malicious .webloc file that loads the local rhtmlPlayer.html file, exploits an XSS flaw in that file, and runs the attacker's malicious JavaScript code through the local rhtmlPlayer.html file, bypassing macOS' restriction on loading local resources.

When a user receives the file and runs it, even if Apple's quarantine system blocks any local resources from executing, the file sends its malicious code to the local rhtmlPlayer.html, who executes it with full access to any local operating system resources.

Mitigation advice

Cavallarin recommends that users upgrade to Mac OS X High Sierra or simply remove rhtmlPlayer.html to stay protected. The researcher said the issue affects macOS versions 10.12, 10.11, 10.10 and probably prior.

Full technical details are available on Cavallarin's blog. The expert also recorded a video demoing how an attacker could exploit the flaw to run code on user's machine.