Cybersecurity researchers on Tuesday disclosed details of an unpatched zero-day vulnerability in macOS Finder that could be abused by remote adversaries to trick users into running arbitrary commands on the machines.
"A vulnerability in macOS Finder allows files whose extension is inetloc to execute arbitrary commands, these files can be embedded inside emails which if the user clicks on them will execute the commands embedded inside them without providing a prompt or warning to the user," SSD Secure Disclosure said in a write-up published today.
Park Minchan, an independent security researcher, has been credited with reporting the vulnerability which affects macOS versions of Big Sur and prior.
The weakness arises due to the manner macOS processes INETLOC files — shortcuts to open internet locations such as RSS feeds, Telnet connections, or other online resources and local files — resulting in a scenario that allows commands embedded in those files to be executed without any warning.
Are you aware of the risks associated with third-party app access to your company's SaaS apps? Join our webinar to learn about the types of permissions being granted and how to minimize risk.RESERVE YOUR SEAT
"The case here INETLOC is referring to a 'file://' protocol which allows running locally (on the user's computer) stored files," SSD said. "If the INETLOC file is attached to an email, clicking on the attachment will trigger the vulnerability without warning."
Although newer versions of macOS have blocked the 'file://' prefix, the flaw can be still exploited by simply changing the protocol to 'File://' or 'fIle://' to effectively circumvent the check. We have reached out to Apple, and we will update the story if we hear back.
"Newer versions of macOS (from Big Sur) have blocked the 'file://' prefix (in the com.apple.generic-internet-location) however they did a case matching causing 'File://' or 'fIle://' to bypass the check," the advisory said. "We have notified Apple that 'FiLe://' (just mangling the value) doesn't appear to be blocked, but have not received any response from them since the report has been made. As far as we know, at the moment, the vulnerability has not been patched."