Security researchers have unveiled a new zero day in macOS Finder of Apple, which allows attackers to execute arbitrary commands on Macs running any version of macOS up to the latest, Big Sur.
The error zero day, discovered by the independent security researcher Park minchan, is due to the way macOS processes files inetloc, which inadvertently executes any commands embedded by an attacker, without warnings or prompts.
In macOS, web site files with .inetloc extensions are bookmarks throughout the system that can be used to open web resources (news: //, ftp: //, afp: //) or local files (file: // ).
"A vulnerability in macOS Finder allows files whose extension is inetloc to execute arbitrary commands", Says a consultant SSD Secure Disclosure published today.
"These files can be embedded in emails in which if the user clicks, he will execute the commands embedded in them without providing a prompt or warning to the user."
While Apple silently fixed the issue without assigning a CVE identification number, as Minchan later discovered, the Apple patch only partially addressed the defect as it can still be exploited by changing the protocol used to execute embedded commands from FiLe: // in FiLe: / /.
"We have notified Apple that FiLe: / / does not appear to have been blocked, but we have not received any response since the report was made. As far as we know, the vulnerability has not been fixed at this time".
Although the investigator did not provide information on how attackers might abuse this error, it could potentially be used by malicious e-mail attachments to be able to launch a package or remote payload when opened.
A .inetloc file with PoC code was not detected by any of the antimalware engines in VirusTotal, which means that macOS users who may be targeted by threats using this attack method are not protected by security software.