Microsoft has patched a code execution hole in its Mac remote desktop client that grants read and write to home directories if users do no more than click a link, says Italian security researcher Filippo Cavallarin.
The hole was patched 17 January.
Cavallarin says the flaw allowed remote attackers to execute arbitrary code on vulnerable machines if users did not more than click phishing links.
From there, attackers would gain read and write access to Mac home directories.
"Microsoft Remote Desktop Client for Mac OS X allows a malicious terminal server to read and write any file in the home directory of the connecting user," Cavallarin says.
"The vulnerability exists to the way the application handles rdp urls. In the rdp url schema it's possible to specify a parameter that will make the user's home directory accessible to the server without any warning or confirmation request.
"If an attacker can trick a user to open a malicious rdp url, they can read and write any file within the victim's home directory."
Mac OS X apps like Safari, Mail, and Messages by default open clicked rdp urls without confirmation.
This drastically shortens the attack chain of most phishing attacks which require users to be convinced by some form of narrative to open links and attachments, and again to fill out personal data and credentials into fake forms.
Cavallarin included a proof-of-concept with his disclosure, increasing the need for users to apply the Microsoft updates. ®