The good news is that the flaw was patched by Apple with the release of macOS 10.15 Catalina in October 2019, but it does serve as an important reminder to update any Macs you have that are running older versions of MacOS.
Why is this important now? Well, because it highlights an issue that people may not consider when opening text files. Because of the way that TextEdit handles text files, they can be made to be malicious in nature.
In a recent blog post on the bug, which has been catalogued as CVE-2019-8761, security researcher Paulos Yibelo noted that Apple’s Gatekeeper did not flag the suspicious file, even if it was downloaded from the web.
That’s because most antivirus and security products, he explained, treat text files as harmless. They’re supposed to be inert strings of characters that have no hidden attributes and cannot be executed as a program.
The wonders of TextEdit
However, TextEdit isn’t just a text editor. It can also open Rich Text Format files (TextEdit’s preferred format), Word documents and HTML files (the basic building blocks of the web).
So Yibelo wondered what would happen if he put HTML encoding in a text file and opened it with TextEdit.
Lo and behold, opening the HTML-containing text file in TextEdit was sufficient to execute basic HTML and CSS features and call local resources, but not reach out to online services.
Reaching out to the internet
However, from there Yibelo discovered that by calling a function named AutoFS, which sends a request to mount external drives, it was possible to send a drive-mounting request to a server on the internet.
Doing that would then reveal your Mac’s IP address to the owner of the domain called. And that in turn would give them a pretty good idea of your location. The user of the Mac would not see any indication on the open TextEdit window that anything was going on behind the scenes.
Yibelo found that text files could be engineered to list the contents of directories on the user’s Mac, including password directories. That in itself is harmless, but Yibelo said it would be possible to abuse the HTML format so that the text file could send those details to a remote server.
Chain of destruction
Yibelo told Vice Motherboard that if he were to chain the TextEdit exploit with another exploit, the two exploits together might be able to do much more damage to a Mac’s security.
“And that’s basically gameover I believe!” Yibelo told Vice Motherboard.
That Safari flaw was patched by Apple in early 2017, but similar exploits might still be possible.
How to protect yourself
You haven’t heard of this bug before because Yibelo privately disclosed it to Apple in 2019. It was quietly patched by Apple with the release of macOS 10.15 Catalina and the concurrent security updates to 10.14 Mojave and 10.13 High Sierra.
Apple investigates any claims before releasing information on them or confirming them. As you can see from the security update Apple published after the fact, it does indeed contain a reference to this vulnerability. (Just search the page for “Yibelo.”)
While you are very unlikely to be materially affected by this flaw now, it’s worth bearing it in mind when you interact with seemingly harmless files online.
If you have any Macs running versions of MacOS before Catalina, then it would be worth updating or confirming a separate patch has been applied if you can’t use a more modern version of MacOS.
It is worth remembering that older versions of MacOS are particularly common with businesses that rely on older software that’s not compatible with later versions of the OS. So diligent employees should continue to be wary of random text files which are emailed to you, as they could also be carriers for such attacks.