A zero-day security flaw in the macOS Finder system in Apple might enable remote attackers to deceive users to perform unauthorized commands, however, a silent patch didn’t resolve that, states researchers.
The macOS Finder is the standard file manager and the GUI front-end used in all Macintosh operating systems. This is the first item users see when booting, and it regulates the activation of additional programs and overall user management of file, disc, and network volume. In other terms, it is the master program for all the other things on the Mac.
This time the flaw resides in the handling of the macOS Finder, as per an SSD Secure Disclosure Notice.Inetloc files. Inettloc files may be used to open files remotely in a browser on someone’s Mac by utilizing the “file:/” format (instead of http://) as shortcodes to the Internet destination (such as an RSS feed or a telnet site). The last function, experts argued, is at stake with day zero.
Independent Park Minchan security researcher revealed the SSD vulnerability, stating that the problem affects the macOS Big Sur version as well as all the previous ones. In reply, Apple decided not to declare a CVE and repaired the matter discreetly instead. But, experts claimed, the patch was bungled.
The .Inetloc files can also be particularly developed with contained instructions for the exploitation scenario for the flaw. The manufactured data may then be linked, researchers noted, too (or connected to) hostile e-mails. If people are socially engineered to click these, the instructions inside them immediately run in stump mode without the warning or consent of the victims.
“A vulnerability in the way macOS processes. Inetloc files cause it to run commands embedded inside, the commands it runs can be local to the macOS allowing the execution of arbitrary commands by the user without any warning/prompts,” according to the advisory.
New macOS (like Big Sur) versions reportedly banned the file:/ prefix… They stated that they did the case matching causing File:/ or fIle:/ to circumvent the inspection.
“We…have not received any response from them since the report has been made,” according to the advisory. “As far as we know, at the moment, the vulnerability has not been patched.”
Whether it is used in the wild or not, no information is out there. Meanwhile, Apple did not respond to the comment request.