An independent security researcher found a bug in Apple’s MacOS that allows attackers to run commands remotely.
This zero-day vulnerability affects all MacOS versions including the latest Big Sur. SSD Secure Disclosure to whom the bug was reported explained how it works:
A vulnerability in macOS Finder allows files whose extension is inetloc to execute arbitrary commands, these files can be embedded inside emails which if the user clicks on them will execute the commands embedded inside them without providing a prompt or warning to the user
Lenovo ThinkPad S1 YogaUS $240.00 Harare
ACER Aspire 3US $520.00 Harare
Apple Airpods proUS $35.00 Harare
Lenovo ThinkPad T460US $320.00 Harare
The vulnerability is in the way MacOS handles shortcuts to open internet locations like RSS feeds. The shortcuts are called inetloc files and these allow the running of files stored locally on the computer. So, when an inetloc file is received as an email attachment and clicked, the OS runs any embedded code within without any warning or prompt.
How it works is that the inetloc files, which are internet shortcuts, are made to point to file:// protocols which are for locally stored files instead of the URLs like https:// they normally point to.
Apple’s MacOS Fix
Apple patched this vulnerability by blocking the file:// prefix. It was simple enough but turns out the patch is just a partial patch. The vulnerability is still there as the patch can be exploited by simply changing the text case. Tests by other researchers have revealed that instead of file://, an attacker can use File://, FiLe:// or fIle:// and all work to bypass the check.
Researchers who have tested the vulnerability note that highly malicious code can be run this way on MacOS. There have not been any reports of malicious code using this exploit in the wild. However, that’s not to say there aren’t any victims out there.
The vulnerability is yet to be fully patched and Apple is not responding to enquiries on the issue. It has not been a good month for Apple. Earlier this month the iPhone had its own vulnerabilities exposed. Google Chrome also announced reaching 11 zero-day vulnerabilities this year.
For MacOS users, the age old wisdom still applies, be extra careful when clicking on any email attachments. Avoid clicking on any attachments if you can help it, even from trusted contacts who may not even know that there is malicious code in the attachments they send you.