New zero-day vulnerabilities reported that even the latest version of macOS cannot prevent attacks
Finder. A malicious attacker could exploit this vulnerability to remotely execute arbitrary code, even on the latest version of the operating system.
A new zero-day vulnerability has been found in the macOS file manager
SSD Advisory – macOS Finder RCE --SSD Secure Disclosure
New macOS zero-day bug lets attackers run commands remotely
The vulnerability is due to the way macOS handles INETLOC (Internet Location) files. The INETLOC file is a file format indicated by the extension '.inetloc' and contains information such as the server address. On macOS, online such as 'news: //', 'ftp: //', and 'afp: //' Used to open resources or local resources as indicated by 'file: //'.
SSD SecureDisclosure, a community for security researchers, said in an announcement about the vulnerabilities, 'The vulnerabilities contained in the macOS Finder allow INETLOC files to execute arbitrary commands.' If included, when the user clicks on the file, the commands embedded in the file will be executed without warning or dialog to the user. '
tested a proof -of-concept attack presented by researchers, and as the researchers announced, it was actually arbitrary on macOS Big Sur without any warnings or dialogs. It has been confirmed that it is possible to execute the code.
Apple seems to have fixed the vulnerability without assigning an ID, but Park Minchan, a security researcher who discovered the vulnerability, pointed out that the patch only partially addresses it. Even if a patch is applied, it is possible to rewrite 'file: //' to 'FiLe: //' etc. with a command, and no version of macOS can block 'file: //'. , Malicious resources such as 'File: //' and 'fIle: //' can bypass Apple's checks. Minchan has reported this to Apple, but he hasn't responded and hasn't fixed it.
Researchers have not shown a specific method of exploiting the discovered vulnerability, but think that it is possible to attack by e-mail with 'a file that can be controlled remotely when the target is opened'. It has been done.
Bleeping Computer, which disseminates security-related information,
in Security, Posted by darkhorse_log