Automatically Unzipping Files with Safari Can Leave Macs Open to Malware

Mac users had it easy for a long time. Since there weren’t that many people who owned Macs, nefarious individuals who wrote malware and other malicious software didn’t bother to write it for Macs. They got more bang for their buck hacking Windows.

However, more people have Macs now than before. This means there’s an increased chance of having your Mac hacked. And because of an exploit with Safari, hackers can do it very easily if you download files that need to be unzipped. This Safari exploit leaves Macs open to malware.

Safari Exploit

Security researcher Patrick Wardle demonstrated how Macs can be remotely infected with malicious software. It’s a matter of using Safari to visit a malicious website and downloading an infected file which will leave the door open to hackers installing malware on the Mac.

“Once the target visits our malicious website, we trigger the download of an archive (.zip) file that contains our malicious application,” explained Wardle. “If the Mac user is using Safari, the archive will be automatically unzipped, as Apple thinks it’s wise to automatically open ‘safe’ files.”


“This fact is paramount,” he continued, “as it means the malicious application (vs. just a compressed zip archive) will now be on the user’s filesystem, which will trigger the registration of any custom URL scheme handlers! Thanks Apple!”

That same malicious website can then run code that will cause macOS to launch the malicious application on the user’s Mac. A popup will ask the user if they want to “Allow” or “Cancel” this process.

But looks can be deceiving. It looks like an ordinary popup, but this is a popup that is being controlled by the hacker. Clicking “Allow” may be allowing the hacker to infect the user’s Mac with malware.

Shortcomings of macOS

Apple adds built-in defenses to macOS to protect against attacks like this. However, these defenses can’t help in the case of this attack done through .zip files on Safari. Apple would have to change the way Safari manages document and URL handlers. They could revoke the certificate for a malicious app, but it’s too late to even bother after it’s been installed.


However, that doesn’t mean you are left with absolutely zero protection. You just have to change a setting in Preferences. Hackers are assuming you want to make things as easy as possible and will choose to always automatically download safe files.

If the option to “Open ‘safe’ files after downloading” is checked, uncheck it. This means Safari won’t automatically open files that it believes are safe, but that’s a much better option than ending up with malware on your Mac.


The hackers are also assuming you are using Safari. You can always opt to use a different browser. But that opens up another whole can of worms we’re not going to get into here. Browser wars can be tackled at another time. And there may be exploits with the other browsers as well. You may be just exchanging one problem for another.

For now just be aware that if you use Safari on your Mac, that you’re leaving your Mac open to malware if you choose to have Safari automatically open downloaded files.

Do you use Safari on your Mac? What do you think of this exploit? Will you just make this change in the settings, or will you opt to use a different browser? Let us know how you will take care of this problem and keep your Mac safe by adding a comment below.

Subscribe to our newsletter!

Our latest tutorials delivered straight to your inbox