Affiliate Disclosure
If you buy through our links, we may get a commission. Read our ethics policy.

Apple partially patches new macOS Finder zero-day vulnerability

AppleInsider Staff |

A newly discovered bug in all versions of macOS, including the latest macOS Big Sur, allows attackers to run arbitrary code remotely with the help of files embedded in emails.

The vulnerability, discovered by independent researcher Park Minchan and reported to SSD Secure Disclosure, allows files with the inetloc extension to execute arbitrary commands without first prompting a Mac's user.

Attackers can include inetloc files in email messages as attachments which, if clicked, will run the embedded code locally. It is unclear if the exploit has been used in the wild, but bad actors could conceivably leverage the bug to deliver malicious payloads to Mac users.

As noted by BleepingComputer, which spotted by SSD Secure Disclosure report on Tuesday, internet location files with inetloc extensions can be considered system-wide bookmarks for online resources like RSS feeds or telnet locations. They can also be used to interact with local files through file://.

Apple reportedly patched the file:// but failed to block other iterations of the prefix like File:// or fIle://, meaning would-be attackers can easily bypass the built-in safeguards. The tech giant also failed to assign the bug a CVE designation, according to Minchan.

Apple earlier today released a seventh beta version of its next-generation macOS Monterey for developer testing ahead of an expected public debut this fall. Whether the latest builds contain a permanent fix for the newly discovered inetloc vulnerability is unknown.

10 Comments

indieshack 9 Years · 336 comments
About

Apple reportedly patched the file:// but failed to block other iterations of the prefix like File:// or fIle://, meaning would-be attackers can easily bypass the built-in safeguards. The tech giant also failed to assign the bug a CVE designation, according to Minchan.
As a developer I find it difficult to comprehend that other variations weren't tested...

chadbag 13 Years · 2029 comments
About

indieshack said:
Apple reportedly patched the file:// but failed to block other iterations of the prefix like File:// or fIle://, meaning would-be attackers can easily bypass the built-in safeguards. The tech giant also failed to assign the bug a CVE designation, according to Minchan.
As a developer I find it difficult to comprehend that other variations weren't tested...

100% agree.  More so that the person assigned to fix this vulnerability didn’t think to do a caseless comparison.  

netling 21 Years · 77 comments
About

chadbag said:
indieshack said:
Apple reportedly patched the file:// but failed to block other iterations of the prefix like File:// or fIle://, meaning would-be attackers can easily bypass the built-in safeguards. The tech giant also failed to assign the bug a CVE designation, according to Minchan.
As a developer I find it difficult to comprehend that other variations weren't tested...
100% agree.  More so that the person assigned to fix this vulnerability didn’t think to do a caseless comparison.  

Without Steve Jobs around and with Mr. Emoji “Cook” in the helm, Apple has become crap. Very little innovation, considering the amount of people they employ and the sad part is, it’s more about stroking Media than innovation, I can nearly everything the iPhone does in an android for half the price.  So no, I’m not at all surprised that this happened and it will continue to happen under Cook. 

michelb76 8 Years · 700 comments
About

netling said:
chadbag said:
indieshack said:
Apple reportedly patched the file:// but failed to block other iterations of the prefix like File:// or fIle://, meaning would-be attackers can easily bypass the built-in safeguards. The tech giant also failed to assign the bug a CVE designation, according to Minchan.
As a developer I find it difficult to comprehend that other variations weren't tested...
100% agree.  More so that the person assigned to fix this vulnerability didn’t think to do a caseless comparison.  
Without Steve Jobs around and with Mr. Emoji “Cook” in the helm, Apple has become crap. Very little innovation, considering the amount of people they employ and the sad part is, it’s more about stroking Media than innovation, I can nearly everything the iPhone does in an android for half the price.  So no, I’m not at all surprised that this happened and it will continue to happen under Cook. 

Complete bollocks. Jobs was also at the helm when Apple made major screwups and he was also responsible for plenty of them. And most people here haven't got a single clue about 'innovation'. Apple has done A TON of 'innovation' in the past years. But just because it doesn't fit your view of shiny new things it's not? Laughable.

CheeseFreeze 7 Years · 1339 comments
About

indieshack said:
Apple reportedly patched the file:// but failed to block other iterations of the prefix like File:// or fIle://, meaning would-be attackers can easily bypass the built-in safeguards. The tech giant also failed to assign the bug a CVE designation, according to Minchan.
As a developer I find it difficult to comprehend that other variations weren't tested...

Indeed. You’d expect that these would be evaluated after being sanitized, e.g StrToLower(RemoveUnwantedChars(Trim($val))) which would capture all variations.

That said, which such a gigantic pile of code, there’s bound to be human errors. 

Read More on our Forums ->
 

Sponsored Content

article thumbnail

How to stop spam calls and reclaim some sanity on your iPhone

Top Stories

article thumbnail

How Apple's smart home revolution begins in 2025

article thumbnail

AirPods Max four years later: a missed spatial computing opportunity

article thumbnail

Apple says EU interoperability laws pose severe privacy risks

article thumbnail

Don't believe what you see on TikTok - AirDrop doesn't allow thieves to steal your credit card info

article thumbnail

Holiday 2024 MacBook Buyer's Guide — Which Mac laptop you should buy?

article thumbnail

Holiday coupon: save up to $300 on every 14" & 16" MacBook Pro M4