Researchers discovered a flaw in Apple’s MacOS Finder which allows for arbitrary command execution on Mac devices. This was previously thought to be remediated, notably without a CVE number, but a workaround was found. The exploit occurs when an INETLOC file is opened which contains the File:// prefix. These files are bookmarks that can be used to open online resources such as: (news://, ftp://, afp://) or local files (file://).
Apple’s previous patch only blocked the all lowercase file:// prefix. Different cases, e.g. File://, fiLe://, can bypass the check added by the prior patch. The vulnerability can be exploited via email by including an INETLOC file as an attachment. This is particularly concerning as commands embedded by an attacker can be executed without prompting the user. Exploit proof of concepts went undetected by antimalware programs.
Article: New macOS zero-day bug lets attackers run commands remotely
Author: Sergiu Gatlan
Published: September 21, 2021
Site: bleepingcomputer.com
Hi Matt,
I always enjoy articles such as these that outline vulnerabilities in macOS. It is quite a common misconception for a lot of Apple users to think their devices are unaffected by security issues or malware of any kind. It is a good reminder that these things can still affect them and it certainly helps the end users to be a little more security conscious.