While critical bugs in software are never a good thing, in some ways they help draw together the tech community. When good-intentioned hackers (call them security researchers if you want) report and companies act quickly, results can be wide-ranging and lasting. That's according to Chris Evans, head of security at Dropbox.
Evans says Dropbox hired security research team Syndis to pen-test its defenses. The team uncovered three flaws in Apple's macOS. All three issues were reported, and Apple acted swiftly by patching the flaws in March.
Dropbox hired Syndis to act as a hacking group to simulate a security breach to see how the cloud storage company would handle it. Evans says the team was unable to find an entry point but was planning to “simulate the effects of a breach by just planting malware ourselves (discretely, of course, so as not to tip off the detection and response team).”
Instead, the team found some real-world vulnerabilities.
“However, we didn't have to simulate this breach. Our third-party partner, Syndis, found vulnerabilities in Apple software we use at Dropbox that didn't just affect our macOS fleet, it affected all Safari users running the latest version at the time—a so-called zero-day vulnerability),” explained Evans.
Flaws and Response
The three flaws in question were found in macOS 10.12.6 and included a bypass of the Gatekeeper anti-malware protections. If the vulnerabilities were linked, attackers could take control of a Mac by getting a target to visit a malicious website within Safari.
Evans says Apple acted quickly to deal with the issues, solving the problems “much better than the industry norm of ‘within 90 days'”.
Finally, Evans adds Dropbox is well-prepared for attacks:
“Even if an attacker breaks in and accesses various systems in our environments without triggering an alarm, we have extensive instrumentation to trace activity post-exploitation.”
“We know that we are targeted by adversaries that could develop and use zero-day exploits against us, and we need to protect ourselves accordingly,” wrote Evans. “The risk of getting hit with zero-day exploits is a reality of being connected to the internet, but detecting these is tricky. A powerful zero-day will always gain a foothold, so this was a test of our instrumentation for detecting and alerting on post-exploit activity.”