A zero-day in macOS allows executing commands without warning. But Apple’s patch offers only a partial solution, its discoverer says.
This vulnerability in macOS Finder appears in all versions, including Big Sur, and basically means that you process mac inetloc files so that commands in that file are executed without warning you as a user, as is the case when you install legitimate software.
The Inetloc files are bookmarks to online or local destinations. The issue was discovered by security researcher Park Minchang, who briefed Apple about the issue.
Apple patched its operating system, but without giving details about the problem. Similarly, there is no CVE number (a number assigned to each known vulnerability). But according to Minchang, Apple has done its job only half-heartedly, and the problem is still exploitable.
In a technical explanation on bug bounty platform SSD-Disclosure, he states that Apple now blocks ‘file://’ to prevent executing commands in an inetloc file. But Minchang notes that that check is case sensitive. So a hacker who uses ‘FiLe://’ instead of ‘File://’ is bypassing Apple’s patch.
The workaround was also tested by BleepingComputer, which was able to reproduce the problem. The site notes that VirusTotal’s tools combine several antivirus engines and failed to detect the attack method.