25th April 2021, Kathmandu
Apple macOS TextEdit parsing flaw leaked local files via dangling markup injection
UPDATED A vulnerability in macOS allowed attackers to execute malicious HTML on TXT files which, if opened by victims, could leak its IP address and, worse, allow access to local files.
Now patched, the security flaw came from how TXT files were analyzed by TextEdit, Apple̵
7;s open-source application that opens TXT files by default.
Despite these developments – and the 2019 discovery of memory corruption bugs that led to RCE in Microsoft’s similar text editor, Notepad – antivirus software, firewalls, and macOS Gatekeeper treat TXT files “as secure downloads that can be malicious” because they allegedly contain only text, said security researcher Paulos Yibelo in a blog post.
“They should not blindly trust TXT files,” says the researcher The Daily Swig. Regardless of the file type, “what interprets the file and how it is interpreted means more than anything else.” TXT or another extension “can be harmful if PHP includes it as code,” he adds.