Dropbox Accidentally Discovers Apple Zero-Day Exploit Chain
Dropbox’s red team revealed this week that they accidentally stumbled upon a set of zero-day vulnerabilities in Apple’s Safari browser.
According to Dropbox’s head of security Chris Evans, they found the bug while conducting an attack simulation on their cloud storage system with penetration test firm Syndis. The vulnerabilities, which impact macOS before 10.13.4, could allow attackers to execute arbitrary code on a victim’s system simply by visiting a malicious web page.
The bugs, CVE-2017-13890, CVE-2018-4176, CVE-2018-4175, and CVE-2018-4389, had already been reported to Apple last February 19.