New zero-day vulnerabilities reported that even the latest version of macOS cannot prevent attacks

A new zero-day vulnerability has been found in the macOS file manager

Finder. A malicious attacker could exploit this vulnerability to remotely execute arbitrary code, even on the latest version of the operating system.

SSD Advisory – macOS Finder RCE --SSD Secure Disclosure

New macOS zero-day bug lets attackers run commands remotely

The vulnerability is due to the way macOS handles INETLOC (Internet Location) files. The INETLOC file is a file format indicated by the extension '.inetloc' and contains information such as the server address. On macOS, online such as 'news: //', 'ftp: //', and 'afp: //' Used to open resources or local resources as indicated by 'file: //'.

SSD SecureDisclosure, a community for security researchers, said in an announcement about the vulnerabilities, 'The vulnerabilities contained in the macOS Finder allow INETLOC files to execute arbitrary commands.' If included, when the user clicks on the file, the commands embedded in the file will be executed without warning or dialog to the user. '

Apple seems to have fixed the vulnerability without assigning an ID, but Park Minchan, a security researcher who discovered the vulnerability, pointed out that the patch only partially addresses it. Even if a patch is applied, it is possible to rewrite 'file: //' to 'FiLe: //' etc. with a command, and no version of macOS can block 'file: //'. , Malicious resources such as 'File: //' and 'fIle: //' can bypass Apple's checks. Minchan has reported this to Apple, but he hasn't responded and hasn't fixed it.

Researchers have not shown a specific method of exploiting the discovered vulnerability, but think that it is possible to attack by e-mail with 'a file that can be controlled remotely when the target is opened'. It has been done.

Bleeping Computer, which disseminates security-related information,

tested a proof -of-concept attack presented by researchers, and as the researchers announced, it was actually arbitrary on macOS Big Sur without any warnings or dialogs. It has been confirmed that it is possible to execute the code.

in Security, Posted by darkhorse_log