A zero-day security vulnerability in Apple’s macOS Finder system could allow remote attackers to trick users into running arbitrary commands, according to researchers & a silent patch hasn’t fixed it.
All a user has to do is click on an email attachment, & the code is ‘silently’ executed without the victim being aware. It affects Big Sur & prior versions of macOS.
Default File Manager
For non-Apple users, the macOS Finder is the default file manager & GUI front-end used on all Macintosh operating systems. It’s the 1st thing users see upon booting, & it governs the launching of other applications & the overall user management of files, disks & network volumes. It’s the top application for everything else on the Mac.
Says an SSD Secure Disclosure advisory this week, the vulnerability exists in the way macOS Finder handles .Inetloc files.
Inetloc files are Apple-specific, & function as shortcuts to internet locations, such as an RSS feed or a telnet location; or they can be used to open documents locally on someone’s Mac within a browser using the “file://” format (in place of http://). It’s the latter function that’s at issue with the zero day, researchers stated.
Exploit Situation
In an exploit situation for the bug, the .Inetloc files can be specially adjusted to contain embedded commands. The changed files can then be attached to (or linked in) malicious emails, researchers added, & if users are socially engineered into clicking on them, those commands embedded inside automatically execute in stealth mode, with no alert or prompt given to victims.
“A vulnerability in the way macOS processes .Inetloc files causes it to run commands embedded inside, the commands it runs can be local to the macOS allowing the execution of arbitrary commands by the user without any warning/prompts,” according to the advisory.
It’s a simple exploitation scenario – as demoed in an SSD video included in the alert.
Reported the Vulnerability
Independent security researcher Park Minchan reported the vulnerability to SSD, noting that the bug affects the macOS Big Sur edition & all those prior to it. In response, Apple chose not to issue a CVE & instead silently patched the issue. However, the fix was botched, researchers observed.
“The vendor has notified us that file:// [function] has been silently patched,” the advisory explained. However, researchers added that the bug can still be exploited by using a mangled value, like FiLe:// in the file’s execution routine.
Newer Versions
“Newer versions of macOS (from Big Sur) have blocked the file:// prefix…however they did case-matching causing File:// or fIle:// to bypass the check,” they explained.
“We…have not received any response from them since the report has been made,” according to the advisory. “As far as we know, at the moment, the vulnerability has not been patched.”
There’s no information on whether it’s been exploited in the wild, & Apple did not immediately return a request for comment.
Zero-Day Flaw
The company has had its share of zero days this year. In May, it patched a critical bug in macOS that could be exploited to take screenshots of someone’s computer & to capture images of their activity within applications or on videoconferences without that person knowing.
In July, it patched an actively exploited zero-day flaw in both its iOS and macOS platforms that could allow attackers to take over an affected system.
Earlier this month, it rushed an emergency patch for the “ForcedEntry” zero-click zero-day, which was being exploited by NSO Group to install spyware.
