Apple macOS Finder tool had a serious security vulnerability that could potentially allow a remote attacker to execute arbitrary commands. The iPhone maker apparently tried to patch the 0-Day “Inetloc” flaw without assigning an identifier but reportedly failed.
Security researchers have disclosed a new flaw inside Apple’s macOS Finder. The loophole allows attackers to run arbitrary commands on MacBook and Mac computers. Concerningly, the flaw seemingly resides in all the modern versions of macOS, including the latest Big Sur update.
Apple macOS Finder has a 0-Day Security Vulnerability in the way macOS handles files with .inetloc extension:
Independent security researcher Park Minchan discovered a security flaw in the way macOS processes inetloc files. The flaw can allow any threat actor to easily run arbitrary commands remotely.
Shockingly, the flaw doesn’t raise any security alarms. However, the vulnerability does require user action on the target Apple computer running macOS.
High vulnerability in #Apple #macOS #Finder allows #inetloc files to execute command without user consent. These files can be embedded inside email which will be executed without warning. #CyberNGO advises users to update their Apple macOS to latest available version..(read more) pic.twitter.com/NMaUseYU9K
— CyberNGO (@CyberNgo) September 22, 2021
Internet location files have “.inetloc” extensions. On macOS, these files are essentially system-wide bookmarks. In other words, they work across multiple tools and applications.
Files with .inetloc extensions guide users to online resources. Many web developers and even application creators use these extensions to send MacBook or Mac users to web platforms.
macOS is susceptible to running arbitrary code when a user opens a malicious .inetloc file, and Apple's first attempt to silently fix the issue failed (Sergiu Gatlan/BleepingComputer) pic.twitter.com/lc1JSOUakO
— Hari Dass (@ph7267) September 21, 2021
Depending on the execution of the file, they may send users to digital resources such as (news://, ftp://, afp://) or even local files (file://).
An SSD Secure Disclosure advisory published today, mentions: “A vulnerability in macOS Finder allows files whose extension is inetloc to execute arbitrary commands. These files can be embedded inside emails which if the user clicks on them will execute the commands embedded inside them without providing a prompt or warning to the user.”
Apple Inc. attempted to fix the .inetloc security vulnerability quietly, without assigning a CVE ID:
Tech giants need to assign a CVE (Common Vulnerabilities and Exposures) identification number to a threat or vulnerability. The CVE ID helps the security community refer to critical information and updates about a security vulnerability.
"A vulnerability in macOS Finder allows files whose extension is inetloc to execute arbitrary commands,”
Time to patch (again). https://t.co/5gyyPH0PXB
— Paul Dokas (@pauldokas) September 22, 2021
The CVE ID also confirms if or when the security vulnerability is patched. Apple Inc. however, routinely attempts to address security threats and loopholes clandestinely.
Apple reportedly attempted to address this exploit without assigning a CVE ID. The company, however, partially addressed the same.
Unpatched macOS #vulnerability lets remote attackers execute code on your Mac via ".inetloc" internet shortcuts and email attachments. Big Sur users also at risk.
Disclosed by researcher Park Minchan via @SecuriTeam_SSD.https://t.co/bi2UxdVPa1
— Ax Sharma (@Ax_Sharma) September 22, 2021
New versions of macOS, starting from Big Sur, block file:// prefix that could originate from a file with .inetloc extension. However, just by “mangling” the value, defeats the mitigations.
Minchan claimed instead of “file”, attackers could simply use modified versions such as “FiLe” or “fIle” to bypass the security patches.
Apple users warned: Clicking this attachment will take over your macOS
"For example, opening an email that contains an inetloc attachment via the "Mail" app will trigger the vulnerability without warning."https://t.co/tXcED0hApj
— Rey Bango (@reybango) September 22, 2021
As there’s no CVE ID, it is difficult to ascertain if the exploit is active in the wild. However, attackers will simply need to launch large email phishing campaigns to deploy the threat. Any victim clicking on a weaponized file with .inetloc extension could allow attackers to remotely run arbitrary commands.