Last updated at Thu, 31 Aug 2017 13:47:35 GMT
This week's update brings a fun user-assisted code execution bug in Safari. It works by opening up an "applescript://" URL, which pops an Applescript editor, and then getting the user to hit Command-R (normally the keybinding for reloading the page). The key combo will pass down to the editor and run the script.
There is a mitigating factor here in the form of Gatekeeper, part of Apple's "walled garden" architecture, designed to protect users from people who haven't given Apple $99. In it's default setting on Mountain Lion and newer, Gatekeeper will pop up a couple of "Are you sure?"s before letting the user give you a shell. But hey, signed Java applets are still moderately effective at getting shells in phishing campaigns in spite of click-to-play, so chances are still pretty good.
You can see all the changes since the last wrapup on github: 4.11.4-2015101401...4.11.4-2015102801
- Nibbleblog File Upload Vulnerability by Roberto Soares Espreto and Unknown
- Zpanel Remote Unauthenticated RCE by Brad Wolfe, Brent Morris, Dawn Isabel, and James Fitts exploits CVE-2013-2097
- Safari User-Assisted Applescript Exec Attack by joev exploits CVE-2015-7007
- X11 Keyboard Command Injection by xistence
Auxiliary and post modules
- ElasticSearch Snapshot API Directory Traversal by Benjamin Smith, Jose A. Guasch, and Pedro Andujar exploits CVE-2015-5531
- HTTP Host Header Injection Detection by Jay Turla and Medz Barao