Zero-day flaw allows remote code execution even on fully-patched Macs
A security researcher found that Apple has only partially fixed a security flaw affecting all versions of macOS. The company tried to fix the problem silently but failed to do so, leaving millions of Macs vulnerable to remote code execution without any warning or prompt.
Apple has been doing a good job of patching various macOS security vulnerabilities as of late, but there’s at least one that is proving harder to fix than the Cupertino giant had anticipated.
According to independent researcher Park Minchan, the zero-day flaw is present in all versions of macOS — including macOS Big Sur — and allows a malicious actor to execute arbitrary code remotely with the help of some simple files embedded in emails received via Apple Mail or any other email app.
Minchan says this is possible due to a bug in how macOS handles Internet location (inetloc) files which causes it to run any commands embedded inside. Normally, these are system-wide bookmarks used to open online resources or local files, but in this case, they can be leveraged by an attacker to execute malicious code without any warning or prompts being shown to the user on the target Mac.
This can be done by changing the prefacing link in an inetloc file with “file://,” and all it takes to perform the exploit is one click from the user. Apple did try to patch the flaw on macOS Big Sur, but it did so silently without assigning it a CVE and overlooked the fact that using “File://” or “fIle://” (simply mangling the value) can work just as well as “file://.”
Minchan notified the company about the issue but has yet to hear back. In the meantime, the only thing you can do is to refrain from opening email attachments that have the “inetloc” extension.