Zero-day flaw allows remote code execution even on fully-patched Macs

nanoguy

Posts: 1,020   +14
Staff member
A hot potato: A security researcher found that Apple has only partially fixed a security flaw affecting all versions of macOS. The company tried to fix the problem silently but failed to do so, leaving millions of Macs vulnerable to remote code execution without any warning or prompt.

Apple has been doing a good job of patching various macOS security vulnerabilities as of late, but there's at least one that is proving harder to fix than the Cupertino giant had anticipated.

According to independent researcher Park Minchan, the zero-day flaw is present in all versions of macOS -- including macOS Big Sur -- and allows a malicious actor to execute arbitrary code remotely with the help of some simple files embedded in emails received via Apple Mail or any other email app.

Minchan says this is possible due to a bug in how macOS handles Internet location (inetloc) files which causes it to run any commands embedded inside. Normally, these are system-wide bookmarks used to open online resources or local files, but in this case, they can be leveraged by an attacker to execute malicious code without any warning or prompts being shown to the user on the target Mac.

This can be done by changing the prefacing link in an inetloc file with "file://," and all it takes to perform the exploit is one click from the user. Apple did try to patch the flaw on macOS Big Sur, but it did so silently without assigning it a CVE and overlooked the fact that using "File://" or "fIle://" (simply mangling the value) can work just as well as "file://."

Minchan notified the company about the issue but has yet to hear back. In the meantime, the only thing you can do is to refrain from opening email attachments that have the "inetloc" extension.

Permalink to story.

 

kiwigraeme

Posts: 662   +503
So much for being safer than Windows...
I could be wrong - But a lot of Apple hacking is very targeted - to certain individuals.

Given that you want apps to have enough security to be safe on a hacked machine -hopefully a simple quantum chip comes soon - that with just be used for security to establish data has not been viewed or tampered with .
I'm always amazed that most banking fraud is via social engineering- given that 50% of public have no idea how to protect their PCs and do dubious stuff

It's amazing we have never seen a huge bank skimming virus in the wild - well not to my knowledge - With articles every month screaming this Intel or AMD or MS, Cisco is vulnerable .
I mean most people install windows online - may take 3 hours to get all protections up - yet it seems to go just fine - maybe those crappy routers/modems are doing there jobs - I don't know