Details have emerged about one of the vulnerabilities patched by Apple in macOS on October 31, with the release of macOS High Sierra 10.13.1, Sierra 10.12.6, and El Capitan 10.11.6.
The vulnerability affects fsck_msdos, system tool that Apple included in macOS to check and fix errors in storage devices formatted with the FAT filesystem.
This tool runs automatically whenever users connect a FAT-formatted USB or SD storage device to their Mac.
"The vulnerability allows arbitrary code to be executed with system-level privileges, which potentially lets a malicious device (such as the mentioned flash disks or SD cards) take over the entire system when the said device is inserted into the vulnerable system," said Veo Zhang, a security researcher working on Trend Micro's mobile threats analysis team, and the one who discovered the issue.
As Veo explains, the bug is caused by a piece of code that fails to increase the value of a variable, resulting in a "-1" value that causes a memory corruption.
Attackers can create malicious USB thumb drives that cause this memory corruption on purpose and use it execute malicious code on macOS devices just by plugging in the USB into one of the Mac's ports.
Because fsck_msdos reads the USB automatically, the malicious code runs without user interaction within the context of the fsck_msdos tool, which is SYSTEM-level, because fsck_msdos is a system utility.
Surprisingly, Veo found the bug (CVE-2017-13811) while searching for bugs in Android's source code. The fsck_msdos utility is shared by many *NIX-based operating systems, such as Linux, Android, and BSD-based systems.
Veo said he reached out to other vendors but none except the Android team have responded. Android maintainers said they don't plan to fix the issue because "fsck_msdos runs under a very restricted SELinux domain," and it wouldn't be able to do any damage.
The researcher said he is not aware or does not believe that someone used this vulnerability in the wild before his disclosure. Veo published today a report on this flaw, and this might change in the future.
It should go without saying that users should update to one of the three macOS versions where this bug has received a fix.