Thursday, September 23, 2021

Questionable RCE with .webloc/.inetloc files

A report surfaced recently that at least some recent versions of macOS can be exploited to run arbitrary local applications using .inetloc files, which may allow a drive-by download to automatically kick off a vulnerable application and exploit it. Apple appeared to acknowledge the fault, but did not assign it a CVE; the reporter seems not to have found the putative fix satisfactory and public disclosure thus occurred two days ago.

The report claims the proof of concept works on all prior versions of macOS, but it doesn't seem to work (even with corrected path) on Tiger. Unfortunately due to packing I don't have a Leopard or Snow Leopard system running right now, so I can't test those, but the 10.4 Finder (which would launch these files) correctly complains they are malformed. As a safety measure in case there is something exploitable, the October SPR build of TenFourFox will treat both .webloc and .inetloc files that you might download as executable. (These files use similar pathways, so if one is exploitable after all, then the other probably is too.) I can't think of anyone who would depend on the prior behaviour, but in our unique userbase I'm sure someone does, so I'm publicizing this now ahead of the October 5 release. Meanwhile, if someone's able to make the exploit work on a Power Mac, I'd be interested to hear how you did it.

Saturday, September 4, 2021

TenFourFox FPR32 SPR4 available

TenFourFox Feature Parity Release 32 Security Parity Release 4 "32.4" is available for testing (downloads, hashes). There are, as before, no changes to the release notes nor anything notable about the security patches in this release. Assuming no major problems, FPR32.4 will go live Monday evening Pacific time as usual. The final official build FPR32.5 remains scheduled for October 5, so we'll do a little look at your options should you wish to continue building from source after that point later this month.