TMCnet Feature
October 19, 2021

Big Sur Update Stops Arbitrary Code Execution from Faulty Documents

While macOS Big Sur was promoted as Apple (News - Alert)'s most secure desktop operating system to date, a potential exploit actually allowed bad actors to execute arbitrary code when users attempted to open a malicious PDF file. The document in question would have to be crafted in a specific way in order to take advantage of the exploit, which Apple claims could have been actively used at one point. Though it's unclear whether or not this constitutes a full zero-day exploit that could ever have been a major threat to Macintosh users, an update to the CoreGraphics system claims to have corrected it.

Naturally, it seems obvious that concerned users need to install this update, which is designed to patch CoreGraphics to prevent a possible integer overflow. Considering the fact that many people who elect to use the Macintosh platform do so because they want a strong typesetting experience, it does seem very interesting that this exploit revolves around a PDF document.

It also helps to point out the fact that desktop Macintosh machines may still require a great degree of vigilance on behalf of their users in order to stay safe.

Eliminating the Risk of a Buffer Overflow

When bad actors are able to craft a document with a specific set of internal symbols, they're sometimes able to cause an overflow of the buffer that controls the graphics rendering system. This could be done by writing garbage data into a PDF container and forcing it to render the moment the document is opened. It's also theoretically possible to utilize an exploit found in the Unicode character encoding system by combining characters in ways that the original designers of this technology never imagined.

By doing so, an endless loop could be created that will eventually produce a number greater than the total maximum that would be held by a single location in memory assigned to the CoreGraphics engine that macOS uses to render PDF documents. Once that's occurred, it could be possible to manipulate related coordinates in RAM (News - Alert) so as to allow for execution of malicious algorithms wholly unrelated to document processing.

What makes this particular exploit so concerning is the fact that it isn't necessarily linked to one particular front-end, which means it might impact third-party PDF readers as well as the rendering functionality built into applications like Safari.

Dealing with Potential System-wide Exploits

Citing security reasons, Apple isn't forthcoming about when they discovered that this kind of issue could be exploited by bad actors. Supporters of the decision say that's in keeping with Apple's policies, which are designed to protect users from exploits that wouldn't be known without some degree of publicity. It's likely, however, that several other system-wide bugs could potentially allow outside agents to seize control of an otherwise secure computer.

Individual users are asked to be cautious about opening documents that they have received over a network, especially if they don't recognize the sender. While this has always been the case among users of all system software platforms, it's perhaps also important for users to pay close attention to filenames. Malformed names could be a sign of malicious intent.

Traditional family online protection plans will often be more than capable of dealing with the aftermath of these kinds of problems, but it's best to spot them before they become an issue if at all possible. Pay particular attention to filenames that have accented characters in them when they probably shouldn't. This is often a sign that they've been in some way modified.

Data scientists are looking into new ways to harden the OS against similar attacks in the future.

Attempts to Thwart Buffer Overflow Attacks

Requiring end-users to fashion filenames and document contents in a certain way would be unfair to those who need expanded character sets. However, performing a quick check for potential malformed content shouldn't be too difficult. This would be an attractive option for those who often download files from peer-to-peer conferencing services.

Experts are urging users to install existing updates in the meantime and ensure that their existing administrator passwords are sound. While this might not stop all document-related exploits, it should help to improve their security position to at least some degree.

» More TMCnet Feature Articles


» More TMCnet Feature Articles