A zero-day vulnerability in macOS affecting Big Sur and prior versions has been discovered. The bug resides in macOS Finder system and could allow a remote attacker to trick users into running arbitrary commands. Apparently, there’s still no patch for the issue, which was discovered by independent security researcher Park Minchan and reported to the SSD Secure Disclosure program.
An independent security researcher, Park Minchan, has reported this vulnerability to the SSD Secure Disclosure program.
macOS Finder System Zero-Day Explained
The vulnerability stems from the way Apple’s operating system processes inetloc files – in a way that it causes it to run commands embedded inside. According to the advisory, the commands it runs can be local to the macOS allowing the execution of arbitrary commands by the user without any warning or prompts.
These files are originally shortcuts to an internet location, like an RSS feed or a telnet location. They contain the server address and likely a username and password for SSH and telnet connections, and can be created by typing a URL in a text editor and dragging the text to the desktop.
“If the inetloc file is attached to an email, clicking on the attachment will trigger the vulnerability without warning,” the advisory pointed out. “Newer versions of macOS (from Big Sur) have blocked the file:// prefix (in the com.apple.generic-internet-location) however they did a case matching causing File:// or fIle:// to bypass the check,” the researchers added.
The researchers have notified Apple but have received no response so far. The vulnerability hasn’t been patched yet, as it appears.
Previous Apple Zero-Days
Earlier this month, another scary zero-day, zero-click vulnerability in all types of Apple devices, including Macs, iPhones, iPads, and WatchOS was reported. The flaw has been called FORCEDENTRY. More specifically, the flaw is a zero-click exploit against iMessage, targeting Apple’s image-rendering library.
In April 2021, Apple fixed another zero-day that could bypass the operating system’s anti-malware protections. A variant of the well-known Shlayer malware was detected exploiting the flaw.