Pen-test at Dropbox turns up three Apple 0-day bugs

  • Liam Tung (CSO Online)
  • 22 November, 2018 09:43

Dropbox’s head of security, Chris Evans, has shared a neat tale about how critical bugs in popular software can get fixed when good hackers do the right thing.  

Evans, who founded Google’s Project Zero team in 2014, knows a thing or two finding security bugs in widely-used software from Microsoft, Apple, Google, Linux and others.  

This week he posted a blog about how three flaws in Apple’s macOS software were found by researchers at Syndis, a pen-testing firm hired by Dropbox to test its defenses. Apple patched the bugs in March

Dropbox had engaged Syndis to “red team” Dropbox’s defenses and test how it would perform “post-exploitation”, or when a skilled attacker had already breached one system at Dropbox. How would its detection and alerting program hold up? And how well would its security team respond to an identified breach?    

If Syndis couldn’t find an entry point, Evans said it was planning to “simulate the effects of a breach by just planting malware ourselves (discretely, of course, so as not to tip off the detection and response team).” 

“However, we didn’t have to simulate this breach. Our third-party partner, Syndis, found vulnerabilities in Apple software we use at Dropbox that didn’t just affect our macOS fleet, it affected all Safari users running the latest version at the time—a so-called zero-day vulnerability)," explained Evans. 

The three vulnerabilities Syndis found affected macOS 10.12.6, and involved a bypass of macOS Gatekeeper anti-malware. Chained together, an attacker could use them to take control of a Mac by getting a target, such as a Dropbox employee, to visit a malicious web page with Safari. 

Evans gives credit to Apple for its prompt response to the bug report and then fixing the bugs just over one month later, noting this was “much better than the industry norm of ‘within 90 days’” — the timeframe Project Zero gives vendors to fix bugs its researchers report, or disclose them publicly.    

He’s also careful to point out that “even if an attacker breaks in and accesses various systems in our environments without triggering an alarm, we have extensive instrumentation to trace activity post-exploitation.” 

For Dropbox it was a good chance to test how prepared it was against hard-to-detect zero-day vulnerabilities of the type an advanced persistent attacker (APT) might use. 

“We know that we are targeted by adversaries that could develop and use zero-day exploits against us, and we need to protect ourselves accordingly,” wrote Evans. “The risk of getting hit with zero-day exploits is a reality of being connected to the internet, but detecting these is tricky. A powerful zero-day will always gain a foothold, so this was a test of our instrumentation for detecting and alerting on post-exploit activity.”