Apple partially patches new macOS Finder zero-day vulnerability

Posted:
in macOS
A newly discovered bug in all versions of macOS, including the latest macOS Big Sur, allows attackers to run arbitrary code remotely with the help of files embedded in emails.

macOS Big Sur


The vulnerability, discovered by independent researcher Park Minchan and reported to SSD Secure Disclosure, allows files with the inetloc extension to execute arbitrary commands without first prompting a Mac's user.

Attackers can include inetloc files in email messages as attachments which, if clicked, will run the embedded code locally. It is unclear if the exploit has been used in the wild, but bad actors could conceivably leverage the bug to deliver malicious payloads to Mac users.

As noted by BleepingComputer, which spotted by SSD Secure Disclosure report on Tuesday, internet location files with inetloc extensions can be considered system-wide bookmarks for online resources like RSS feeds or telnet locations. They can also be used to interact with local files through file://.

Apple reportedly patched the file:// but failed to block other iterations of the prefix like File:// or fIle://, meaning would-be attackers can easily bypass the built-in safeguards. The tech giant also failed to assign the bug a CVE designation, according to Minchan.

Apple earlier today released a seventh beta version of its next-generation macOS Monterey for developer testing ahead of an expected public debut this fall. Whether the latest builds contain a permanent fix for the newly discovered inetloc vulnerability is unknown.

Read on AppleInsider

Comments

  • Reply 1 of 10
    Apple reportedly patched the file:// but failed to block other iterations of the prefix like File:// or fIle://, meaning would-be attackers can easily bypass the built-in safeguards. The tech giant also failed to assign the bug a CVE designation, according to Minchan.
    As a developer I find it difficult to comprehend that other variations weren't tested...
    chadbagaderutterMplsPcat52watto_cobra
  • Reply 2 of 10
    chadbagchadbag Posts: 1,519member
    Apple reportedly patched the file:// but failed to block other iterations of the prefix like File:// or fIle://, meaning would-be attackers can easily bypass the built-in safeguards. The tech giant also failed to assign the bug a CVE designation, according to Minchan.
    As a developer I find it difficult to comprehend that other variations weren't tested...
    100% agree.  More so that the person assigned to fix this vulnerability didn’t think to do a caseless comparison.  
    elijahgllamacat52watto_cobra
  • Reply 3 of 10
    chadbag said:
    Apple reportedly patched the file:// but failed to block other iterations of the prefix like File:// or fIle://, meaning would-be attackers can easily bypass the built-in safeguards. The tech giant also failed to assign the bug a CVE designation, according to Minchan.
    As a developer I find it difficult to comprehend that other variations weren't tested...
    100% agree.  More so that the person assigned to fix this vulnerability didn’t think to do a caseless comparison.  
    Without Steve Jobs around and with Mr. Emoji “Cook” in the helm, Apple has become crap. Very little innovation, considering the amount of people they employ and the sad part is, it’s more about stroking Media than innovation, I can nearly everything the iPhone does in an android for half the price.  So no, I’m not at all surprised that this happened and it will continue to happen under Cook. 
    elijahgcat52
  • Reply 4 of 10
    netling said:
    chadbag said:
    Apple reportedly patched the file:// but failed to block other iterations of the prefix like File:// or fIle://, meaning would-be attackers can easily bypass the built-in safeguards. The tech giant also failed to assign the bug a CVE designation, according to Minchan.
    As a developer I find it difficult to comprehend that other variations weren't tested...
    100% agree.  More so that the person assigned to fix this vulnerability didn’t think to do a caseless comparison.  
    Without Steve Jobs around and with Mr. Emoji “Cook” in the helm, Apple has become crap. Very little innovation, considering the amount of people they employ and the sad part is, it’s more about stroking Media than innovation, I can nearly everything the iPhone does in an android for half the price.  So no, I’m not at all surprised that this happened and it will continue to happen under Cook. 
    Complete bollocks. Jobs was also at the helm when Apple made major screwups and he was also responsible for plenty of them. And most people here haven't got a single clue about 'innovation'. Apple has done A TON of 'innovation' in the past years. But just because it doesn't fit your view of shiny new things it's not? Laughable.
    muthuk_vanalingamrcfaCheeseFreezemaximarafastasleepcorp1watto_cobra
  • Reply 5 of 10
    Apple reportedly patched the file:// but failed to block other iterations of the prefix like File:// or fIle://, meaning would-be attackers can easily bypass the built-in safeguards. The tech giant also failed to assign the bug a CVE designation, according to Minchan.
    As a developer I find it difficult to comprehend that other variations weren't tested...
    Indeed. You’d expect that these would be evaluated after being sanitized, e.g StrToLower(RemoveUnwantedChars(Trim($val))) which would capture all variations.

    That said, which such a gigantic pile of code, there’s bound to be human errors. 
    cat52watto_cobra
  • Reply 6 of 10
    MplsPMplsP Posts: 3,428member
    Apple reportedly patched the file:// but failed to block other iterations of the prefix like File:// or fIle://, meaning would-be attackers can easily bypass the built-in safeguards. The tech giant also failed to assign the bug a CVE designation, according to Minchan.
    As a developer I find it difficult to comprehend that other variations weren't tested...
    Yeah, that was my thought, too. Fortunately it seems like it should be an easy fix. 

    Back to lesson number one, though- don’t click on random attachments!
    maximarallamawatto_cobra
  • Reply 7 of 10
    netling said:
    chadbag said:
    Apple reportedly patched the file:// but failed to block other iterations of the prefix like File:// or fIle://, meaning would-be attackers can easily bypass the built-in safeguards. The tech giant also failed to assign the bug a CVE designation, according to Minchan.
    As a developer I find it difficult to comprehend that other variations weren't tested...
    100% agree.  More so that the person assigned to fix this vulnerability didn’t think to do a caseless comparison.  
    Without Steve Jobs around and with Mr. Emoji “Cook” in the helm, Apple has become crap. Very little innovation, considering the amount of people they employ and the sad part is, it’s more about stroking Media than innovation, I can nearly everything the iPhone does in an android for half the price.  So no, I’m not at all surprised that this happened and it will continue to happen under Cook. 
    Looks at M1.  You're kidding, right?  Besides, Android is a malware/shovelware infested disaster area.  As the old adage goes you get what you pay for.
    cat52watto_cobra
  • Reply 8 of 10
    One would think that at Apple of all places , and with security fixes in particular, there would be a code review of any merge requests. For example using a tool like gitlab, you can set multiple people to approve a code change before it is merged into production code. There must have been multiple points of failure for this to happen.
    llamacat52watto_cobra
  • Reply 9 of 10
    netling said:
    chadbag said:
    Apple reportedly patched the file:// but failed to block other iterations of the prefix like File:// or fIle://, meaning would-be attackers can easily bypass the built-in safeguards. The tech giant also failed to assign the bug a CVE designation, according to Minchan.
    As a developer I find it difficult to comprehend that other variations weren't tested...
    100% agree.  More so that the person assigned to fix this vulnerability didn’t think to do a caseless comparison.  
    Without Steve Jobs around and with Mr. Emoji “Cook” in the helm, Apple has become crap. Very little innovation, considering the amount of people they employ and the sad part is, it’s more about stroking Media than innovation, I can nearly everything the iPhone does in an android for half the price.  So no, I’m not at all surprised that this happened and it will continue to happen under Cook. 
    If Steve Jobs would have been alive today and acted as CEO, there would have been a risk him becoming a blocker simply due to his long tenure. This security issue has nothing to do with Apple as a whole. 
    watto_cobra
  • Reply 10 of 10
    michelb76 said:
    netling said:
    chadbag said:
    Apple reportedly patched the file:// but failed to block other iterations of the prefix like File:// or fIle://, meaning would-be attackers can easily bypass the built-in safeguards. The tech giant also failed to assign the bug a CVE designation, according to Minchan.
    As a developer I find it difficult to comprehend that other variations weren't tested...
    100% agree.  More so that the person assigned to fix this vulnerability didn’t think to do a caseless comparison.  
    Without Steve Jobs around and with Mr. Emoji “Cook” in the helm, Apple has become crap. Very little innovation, considering the amount of people they employ and the sad part is, it’s more about stroking Media than innovation, I can nearly everything the iPhone does in an android for half the price.  So no, I’m not at all surprised that this happened and it will continue to happen under Cook. 
    Complete bollocks. Jobs was also at the helm when Apple made major screwups and he was also responsible for plenty of them. And most people here haven't got a single clue about 'innovation'. Apple has done A TON of 'innovation' in the past years. But just because it doesn't fit your view of shiny new things it's not? Laughable.
    I tend to agree: Apple Watch and AirPods, for example, are two products that instantly transformed their respective categories; HomePod stumbled (remember Jobs' iPod Hi-Fi?) and AirPower never actually shipped, but HomePod mini was successful, and the iPhone does support wireless charging. But it's Apple Silicon and the M1 Macs in particular that have stunned the industry and completely transformed expectations regarding performance, heat dissipation, and battery life.

    edited September 22 muthuk_vanalingammaximarawatto_cobra
Sign In or Register to comment.