Skip to content

Zero-day macOS bug triggers remote code execution vulnerability

  • by
  • 2 min read

Apple’s macOS Finder has been found to be vulnerable to a zero-day bug which makes it possible for attackers to run arbitrary commands on any Mac running macOS Big Sur or earlier.

The bug was discovered by an independent security researcher Park Minchan and is caused by the way macOS processes inetloc files causing it to run any commands embedded by an attacker without any warnings or prompts. 

Minchan reported the vulnerability to the SSD Secure Disclosure Program, who in turn, notified Apple. They also covered the vulnerability in a report published Tuesday, alongwith a video demo and proof of concept code. The bug hasn’t been assigned a CVE code yet. 

In the News: HP Spectre x360 2-in-1 and 11-inch tablet launched: Price and Specs

Apple quashes the bug silently

Since being notified of the issue, Apple has silently fixed the problem without assigning it a CVE number. The patch, however, only partially addresses the fault as an attacker can still exploit it by changing the protocol used to execute the embedded commands from file:// to FiLe://.

The researchers have notified Apple that it’s still possible to exploit the bug by modifying the value, but they haven’t received a response from the company. For all intents and purposes, the vulnerability is still as good as unpatched.

The patch works by blocking the file:// prefix, but during case matching, the researchers were able to bypass the check. They haven’t provided any information on how attackers might abuse this bug either, but it can potentially be used by hackers to create malicious email attachments that can launch bundled commands or payloads if or when opened by the target. 

The proof-of-concept code provided by the advisory also wasn’t detected by any antimalware engines on VirusTotal as reported by TheBleepingComputer. This causes major concern as macOS users who might’ve already been targeted won’t be protected by security software. 

In the News: Facebook unveils a 10-inch portable Portal Go and 14-inch Portal+


Yadullah Abidi

Yadullah is a Computer Science graduate who writes/edits/shoots/codes all things cybersecurity, gaming, and tech hardware. When he's not, he streams himself racing virtual cars. He's been writing and reporting on tech and cybersecurity with websites like Candid.Technology and MakeUseOf since 2018. You can contact him here: