Skip links

Bug in macOS Finder allows remote code execution

While Apple did issue a patch for the vulnerability, it seems that the fix can be easily circumvented

Researchers have uncovered a flaw in Apple’s macOS Finder system that could allow remote threat actors to dupe unsuspecting users into running arbitrary commands on their devices. The security loophole affects all versions of the macOS Big Sur operating system and older systems.

“A vulnerability in macOS Finder allows files whose extension is inetloc to execute arbitrary commands, these files can be embedded inside emails which if the user clicks on them will execute the commands embedded inside them without providing a prompt or warning to the user,” reads the blog by SSD Secure Disclosure about the bug.

Park Minchan, an independent researcher who was credited with the discovery of the security loophole, commented that the mail application isn’t the only possible attack vector, but that the vulnerability could be exploited using any program that could attach and execute files, naming iMessage and Microsoft Office as viable examples.

The security flaw stems from how macOS processes Internet Location (INETLOC) files, which are used as shortcuts to open up various internet locations, like RSS feeds or telnet locations. These files usually contain a web address and can sometimes contain usernames and passwords for secure shell (SSH) and telnet connections. The way INETLOC files are processed by macOS causes them to run commands that are embedded inside, which allows them to execute arbitrary commands without alerts or prompts from the user.

“The case here inetloc is referring to a file:// “protocol” which allows running locally (on the user’s computer) stored files. If the inetloc file is attached to an email, clicking on the attachment will trigger the vulnerability without warning,” reads the description of how the bug could be exploited.

The Cupertino tech giant was notified of the vulnerability and went on to path the “file://” flaw silently. However, oddly enough it decided to forgo assigning it a common vulnerabilities and exposures (CVE) identifier. Additionally, it also seems the patch hasn’t addressed the bug entirely.

While newer versions of the macOS (Big Sur and later) block the file:// prefix, changing and the cases in file:// to File:// or fIle:// will circumvent the check. SSD Secure Disclosure said that it reached out to Apple and notified the company about the issue; however, it hasn’t received any reply and the vulnerability has yet to be properly patched.