Hello, welcome to the Monday, September 3rd, 2018 edition of the Sandstone at Storm Center's Stormcast. My name is Johannes Ulrich. And I'm recording from Amsterdam, Netherlands. When I recorded on Friday, I totally forgot that it's Labor Day today on Monday in the United States. Typically, I don't have a podcast, but since I announced that there will be one on Monday,

I'll do at least a brief one today.

Max security expert Patrick Waddle off Objective C published another blog post showing how custom

URL schemes can be abused on OS10 and

Mac OS systems.

What this is all about is the beginning of a URL.

If the URL starts with HTTP or HTTP then of course Safari is launched by default. Well, a different software can register

its own custom URL schemes. So for example, if a URL starts with Skype colon, Skype

can automatically register itself to actually then launch whenever a user clicks on such a URL.

The problem here is that the registration actually doesn't require that the user launches

any software.

All the user has to do is download a SIP archive and if Safari automatically unsips it,

the SIP archive now contains an info.p.P.L.L.S. file, then any actions defined in this file

will automatically be registered. And apparently this has been used in some advanced attacks.

The attacker will trick the victim to visit a malicious website.

That typically happens via a spearfishing attack.

Once the user visits the website, then the download is triggered off the SIP archive and then a custom action is

registered to launch code once the user then clicks on a second URL that does take

advantage of this custom scheme so the problem here is that exploitation is very

simple the best thing you can do right now is to not

automatically open safe file types in OS10 and macOS. This is not disabled by default in these

operating systems, so you have to disable this in Safari.

...