MacOS zero-day flaw lets remote attackers execute code

A code execution bug in Apple’s macOS allows remote attackers to execute arbitrary commands on your device.

Independent security researcher Park Minchan has discovered a vulnerability in macOS that allows threat actors to execute commands on your computer, explains a new report from Computer ringing. Shortcut files that have the extension “inetloc” are capable of embedding commands inside. The flaw affects macOS Big Sur and earlier versions.

“A vulnerability in the way macOS processes inetloc it makes it execute built-in commands inside, the commands it executes can be local to macOS, allowing arbitrary commands to be executed by the user without any warnings or prompts, ”explains Minchan. “Originally, inetloc files are shortcuts to an Internet location, such as an RSS feed or telnet location; and contain the server address and possibly a username and password for SSH and telnet connections; it can be created by typing a URL in a text editor and dragging the text to the desktop. “

Minchan says this is possible due to a bug in the way macOS handles internet location files (inetloc) that causes it to run any commands embedded within it. Typically these are system-wide bookmarks used to open online resources or local files, but in this case, an attacker can exploit them to execute malicious code without any warning or message being displayed to the user on the target Mac.

This can be done by changing the above link in an inetloc file with “file: //”, and all it takes to perform the exploit is one user click.

Minchan warned Apple about the vulnerability, and the company issued a patch. However, Apple tried to fix the flaw in macOS Big Sur but did so silently without assigning it a CVE and overlooked the fact that using “File: //” or “fIle: //” (just altering the value) it can work just as well as “file: //”.

BleepingComputer went one step further and tested a proof-of-concept exploit shared by Minchan, which worked just as the researcher had noted in its disclosure.

Leave a Comment