A vulnerability in macOS can allow an attacker to take over your Mac when you open an email using an internet shortcut file. Apple says it has patched the bug in Big Sur and Monterey but independent security researcher Park Minchan says the vulnerability is still present.
Unpatched macOS vulnerability allows remote attackers to execute code
Independent security researcher Park Minchan discovered a macOS bug that lets remote attackers execute commands on a Mac. Shortcut files that have the “inetloc” extension are capable of embedding commands inside.
“A vulnerability in the way macOS processes inetloc files causes it to run commands embedded inside, the commands it runs can be local to the macOS allowing the execution of arbitrary commands by the user without any warning / prompts,” explains Minchan. “Originally, inetloc files are shortcuts to an Internet location, such as an RSS feed or a telnet location; and contain the server address and possibly a username and password for SSH and telnet connections; can be created by typing a URL in a text editor and dragging the text to the Desktop.”
Internet shortcuts are present in both Windows and macOS. However, this bug impacts macOS users the most, especially those who use a native email app like “Mail.” Opening an email that contains an inetloc attachment via Apple’s native “Mail” app can trigger the bug without warning.
Minchan Apple about the issue and the tech giant subsequently issued a fix. However, the patch is case-sensitive. The fix blocks URLs beginning file:// but not mixed-case ones like FiLe://. Both run in the same way.
The vendor has been notified us that file:// has been silently patched the vulnerability in Big Sur and has not assigned it a CVE. We have notified Apple that FiLe:// (just mangling the value) doesn’t appear to be blocked, but have not received any response from them since the report has been made. As far as we know, at the moment, the vulnerability has not been patched.
Until Apple issues an updated fix, macOS users are advised to be cautious when opening .inetloc Internet shortcuts, especially ones that arrive via email attachments.
- Apple’s recent iOS 14.7.1 security fix patched vulnerability exploited by NSO’s spyware Pegasus
- SolarWinds hackers used iOS 0-day vulnerability to compromise iPhones
- Vulnerability in CocoaPods dev tool potentially exposed millions of iOS apps