Unpatched macOS Security Hole Allows for Remote Code Execution

Another day, another vulnerability. This time it affects macOS Big Sur as well as earlier versions of macOS. More concerning, the security hole remains unpatched, according to a report at Ars Technica. The security vulnerability is a significant one allowing for code execution by a remote attacker.

Independent security researcher Park Minchan discovered the security flaw, which allows hackers to embed commands into shortcut files with the inetloc extension.

These inetloc files are internet shortcut files that often contain typically innocuous server details and connection information. Users open these files expecting them to open a website, for example. They are not expecting the file to execute some random code.

The vulnerability exploits how macOS reads the content of inetloc files. Instead of using HTTPS:// for a web browser, hackers can substitute file:// and execute a file on the user’s computer.

Apple was aware of this flaw and blocked the addition of the file:// prefix in these internet shortcut files. Apple thought it had the bases covered, but the Cupertino giant forgot about case sensitivity.

Minchan discovered that while macOS blocked file://, it did not stop the capitalized version File://. 

Ars tested this vulnerability and launched the calculator app from an inetloc file containing eight lines of code. Launching the calculator app is benign. Unfortunately, the flaw is much more permissive. A skilled hacker could easily open system folders and other folders that contain malicious code downloaded to the user’s machine.

Minchan reported the flaw to Apple using the company’s SSD Secure Disclosure program. Apple has not publicly commented on the vulnerability, but we would expect the company to issue a security patch in the future.

macOS users should be cautious when opening internet shortcut files, especially those sent via unsolicited emails. They also should apply updates as soon as they are released.