Apple's Latest MacOS Security Update Contained Fix for Plug-n-Hack USB Attack. Other OSs affected.

[LASER_oneXM]

Details have emerged about one of the vulnerabilities patched by Apple in macOS on October 31, with the release of macOS High Sierra 10.13.1, Sierra 10.12.6, and El Capitan 10.11.6.

The vulnerability affects fsck_msdos, system tool that Apple included in macOS to check and fix errors in storage devices formatted with the FAT filesystem.

This tool runs automatically whenever users connect a FAT-formatted USB or SD storage device to their Mac.

Bug allows for USB plug-n-hack attacks
"The vulnerability allows arbitrary code to be executed with system-level privileges, which potentially lets a malicious device (such as the mentioned flash disks or SD cards) take over the entire system when the said device is inserted into the vulnerable system," said Veo Zhang, a security researcher working on Trend Micro's mobile threats analysis team, and the one who discovered the issue.

Other operating systems are also affected

Surprisingly, Veo found the bug (CVE-2017-13811) while searching for bugs in Android's source code. The fsck_msdos utility is shared by many *NIX-based operating systems, such as Linux, Android, and BSD-based systems.

Veo said he reached out to other vendors but none except the Android team have responded. Android maintainers said they don't plan to fix the issue because "fsck_msdos runs under a very restricted SELinux domain," and it wouldn't be able to do any damage.

The researcher said he is not aware or does not believe that someone used this vulnerability in the wild before his disclosure. Veo published today a report on this flaw, and this might change in the future.

It should go without saying that users should update to one of the three macOS versions where this bug has received a fix.