An unpatched vulnerability in macOS Finder has been detected that could be exploited to deceive users into running arbitrary commands on the compromised machines by remote threat actors.
To execute arbitrary commands, the vulnerability which is discovered in macOS Finder allows the files with “inetloc” extension.
As threat actors can easily embed these files inside emails with arbitrary commands planted inside them, and here the most interesting thing is that it executes it without presenting a prompt or warning to the user once the user clicks on them.
Here we have mentioned the affected versions of macOS:-
- macOS Big Sur and prior
For this finding, a sovereign security researcher, Park Minchan who reported this security flaw that affects the macOS versions of Big Sur and prior has been credited with the finding credit.
Analysis of the vulnerability
Moreover, the vendor has claimed that the “file://” in Big Sur has been silently patched, and they haven’t specified it with a CVE ID. While it has been already reported to Apple that the “FiLe://” is still doesn’t appear to be blocked, so, it implies that at the moment the vulnerability has not been reinforced yet.
In the way, macOS concocts a vulnerability and the “inetloc” files cause it to run the arbitrary commands planted inside them. Since the planted arbitrary commands executed by it could be local to the macOS, and that’s why it allows the execution of arbitrary commands without any warning/prompts.
The “inetloc” files are shortcuts to an Internet location like “RSS feed or a telnet location and by typing a URL in a text editor and dragging the text to the Desktop these files could be created.
While they can contain the following things:-
- Server address
- A username and password for SSH
- Telnet connections
To make it simple Minchan affirmed the following statement:-
“The case here inetloc is referring to a file:// “protocol” which allows running locally (on the user’s computer) stored files. If the “inetloc” file is attached to an email, clicking on the attachment will trigger the vulnerability without warning.”
However, at the moment Apple blocked the “file://” prefix in the newer versions of macOS, but these prefixes “File://” or “fIle://” have been found to bypass the security checks.