Computer Security Zero-Day Vulnerability in macOS Finder Allows Silent Code...

Zero-Day Vulnerability in macOS Finder Allows Silent Code Execution

Zero-Day Vulnerability in macOS Finder Allows Silent Code Execution Image

A newly-discovered zero-day vulnerability in the Finder component of macOS allows for code execution and running arbitrary commands quietly, security researchers revealed. The disclosure was made through SSD Secure Disclosure - a platform aimed at the responsible reporting and disclosure of vulnerabilities to vendors.

According to the researchers, the vulnerability resides in the way macOS Finder deals with .inetloc files. Those resemble web shortcuts used on Windows machines, but have somewhat wider functionality. An .inetloc file can point not just to a website or URL but also to news feeds or even Telnet locations.

The issue comes from an extra bit of functionality that .inetloc files have - they can point to local documents that reside on a user's hard drive, using the same file format. This works similarly to how file shortcuts function on Windows systems, where the http:// portion of the .inetloc file is replaced with file://.

A threat actor would only need to create a doctored, malicious .inetloc file that contains commands embedded in it. Once the doctored file has been produced, it is only a matter of spreading it to enough victims, using malspam campaigns and social engineering to get the users to open the malicious attachment.

Importantly, the issue also affects macOS Big Sur - the current version of the operating system and is not limited to old or unpatched releases. The issue was reported to the SSD Secure Disclosure platform by an independent researcher named Park Minchan.

In response, Apple quickly issued a hotfix patch, but did not file a CVE entry for the problem. However, according to researchers, the fix did not completely solve the issue.

The fix caused the file:// prefix not to work anymore, but the patch was case-sensitive, which means File:// can still get around the fix.

ThreatPost reported that there is no information about active exploitation of the vulnerability in question and stated that they did not receive a response when contacting Apple for further comments.

Loading...