A newly discovered bug in all versions of macOS, including the latest macOS Big Sur, allows attackers to run arbitrary code remotely with the help of files embedded in emails.
The vulnerability, discovered by independent researcher Park Minchan and reported to SSD Secure Disclosure, allows files with the
inetloc extension to execute arbitrary commands without first prompting a Mac’s user.
Attackers can include
inetloc files in email messages as attachments which, if clicked, will run the embedded code locally. It is unclear if the exploit has been used in the wild, but bad actors could conceivably leverage the bug to deliver malicious payloads to Mac users.
As noted by BleepingComputer, which spotted by SSD Secure Disclosure report on Tuesday, internet location files with inetloc extensions can be considered system-wide bookmarks for online resources like RSS feeds or telnet locations. They can also be used to interact with local files through
Apple reportedly patched the
file:// but failed to block other iterations of the prefix like
fIle://, meaning would-be attackers can easily bypass the built-in safeguards. The tech giant also failed to assign the bug a CVE designation, according to Minchan.