Apple’s macOS Finder has been found to be vulnerable to a zero-day bug which makes it possible for attackers to run arbitrary commands on any Mac running macOS Big Sur or earlier.
The bug was discovered by an independent security researcher Park Minchan and is caused by the way macOS processes inetloc files causing it to run any commands embedded by an attacker without any warnings or prompts.
Minchan reported the vulnerability to the SSD Secure Disclosure Program, who in turn, notified Apple. They also covered the vulnerability in a report published Tuesday, alongwith a video demo and proof of concept code. The bug hasn’t been assigned a CVE code yet.
Apple quashes the bug silently
Since being notified of the issue, Apple has silently fixed the problem without assigning it a CVE number. The patch, however, only partially addresses the fault as an attacker can still exploit it by changing the protocol used to execute the embedded commands from file:// to FiLe://.
The researchers have notified Apple that it’s still possible to exploit the bug by modifying the value, but they haven’t received a response from the company. For all intents and purposes, the vulnerability is still as good as unpatched.
The patch works by blocking the file:// prefix, but during case matching, the researchers were able to bypass the check. They haven’t provided any information on how attackers might abuse this bug either, but it can potentially be used by hackers to create malicious email attachments that can launch bundled commands or payloads if or when opened by the target.
The proof-of-concept code provided by the advisory also wasn’t detected by any antimalware engines on VirusTotal as reported by TheBleepingComputer. This causes major concern as macOS users who might’ve already been targeted won’t be protected by security software.