Apple partially patches new macOS Finder zero-day vulnerability

A newly discovered bug in all versions of macOS, including the latest macOS Big Sur, allows attackers to run arbitrary code remotely with the help of files embedded in emails.

The vulnerability, discovered by independent researcher Park Minchan and reported to SSD Secure Disclosure, allows files with the inetloc extension to execute arbitrary commands without first prompting a Mac’s user.

Attackers can include inetloc files in email messages as attachments which, if clicked, will run the embedded code locally. It is unclear if the exploit has been used in the wild, but bad actors could conceivably leverage the bug to deliver malicious payloads to Mac users.

As noted by BleepingComputer, which spotted by SSD Secure Disclosure report on Tuesday, internet location files with inetloc extensions can be considered system-wide bookmarks for online resources like RSS feeds or telnet locations. They can also be used to interact with local files through file://.

Apple reportedly patched the file:// but failed to block other iterations of the prefix like File:// or fIle://, meaning would-be attackers can easily bypass the built-in safeguards. The tech giant also failed to assign the bug a CVE designation, according to Minchan.

Apple earlier today released a seventh beta version of its next-generation macOS Monterey for developer testing ahead of an expected public debut this fall. Whether the latest builds contain a permanent fix for the newly discovered inetloc vulnerability is unknown.

Tags: