A newly disclosed flaw allows attackers to hijack a fully updated Mac simply by including a specific type of URL in an email attachment.
The flaw, previously reported by Bleeping Computer, exploits the Mac's handling of "inetloc" files, a file format that contains links to Internet locations such as websites and other servers.
Independent security researcher Park Minchan has found that prefixing links in inetloc files with "file://" instead of "http://" or "https://" allows Macs running the fully updated macOS 11.6 Big Sur We discovered that it is possible to execute arbitrary code, i.e., hack, on a Mac running the fully updated macOS 11.6 Big Sur. (The "file://" prefix specifies a file on the local PC.)
"These files can be embedded in emails, and when users click on them, they execute the commands embedded in them without prompting or warning the user," an unsigned SSD-Disclosure bug reporting site reported today (September 21). The posting stated.
Apple appears to have patched this flaw so that "file://" cannot be exploited. However, Park discovered that swapping the case of the letters so that the prefix is "File://" or "fIle://" also works. (URLs are generally case-insensitive, so "hTTpS://tomsGUIde.coM" works as well as "https://tomsguide.com".)
") This may seem like a zero-day flaw, but it is the kind of flaw Apple knew about but did not patch properly. Tom's Guide has sent an email to Apple seeking comment, but has not yet received a response.
"We have notified Apple that FiLe:// (just mangling the value) does not appear to be blocked, but have not received any response from them since the report was made," the SSD-Disclosure post states. As far as we know, no patch has been applied to this vulnerability at this time."
Bleeping Computer tried the eight-line proof-of-concept exploit listed at the end of the post and confirmed that it does indeed work on macOS Big Sur. tom's Guide did not have a chance to try this exploit.
For now, the only way to avoid this type of attack is to avoid opening unexpected email attachments. As of this writing, none of VirusTotal's antivirus malware detection engines flag proof-of-concept code as malicious.
Comments