Microsoft has patched a security vulnerability in Remote Desktop app for Mac systems that allowed attackers to execute arbitrary code on a computer.
Specifically, Microsoft Remote Desktop client for Mac was affected by a remote code execution flaw that exists in version 8.0.36 and older and which made it possible for cybercriminals to send commands to a machine that they previously compromised with the help of a malicious link.
The link can be submitted to the target system in a wide variety of ways, such as email and instant messaging, and once clicked, it makes the system easily accessible from a Terminal Server that can read and write any file in the home directory of the logged in user.
Bug report in July last year
The vulnerability was discovered by Italian security researcher Filippo Cavallarin, who said that Microsoft needed quite some time to patch the flaw. The report was submitted to the company on July 13, 2016, but a fix only landed on January 17 this year.
“The vulnerability exists to the way the application handles rdp urls. In the rdp url schema it’s possible to specify a parameter that will make the user’s home directory accessible to the server without any warning or confirmation request. If an attacker can trick a user to open a malicious rdp url, he/she can read and write any file within the victim’s home directory,” the security advisory reveals.
Apple has also released a security update for its own Safari browser that prevents a successful exploit from happening, explaining in the release notes of the new version that “this update fixes an issue where a website could repeatedly attempt to launch other websites or applications.”
Customers of Microsoft’s Remote Desktop client for Mac are recommended to update to the latest version (8.0.37) as soon as possible, but also to install Apple’s very own patch should they use Safari and not a third-party browser on their systems.