Hot Potato: A security researcher has discovered that Apple has only partially fixed a vulnerability that affects all versions of macOS. The company tried to solve the problem silently, but failed, leaving millions of Macs vulnerable to remote code execution without any warning or urging.
Apple has recently done a good job of fixing several vulnerabilities in macOS, but at least one of them will be more difficult to fix than the Cupertino giant expected.
According to independent researcher Park Minchan, a bug in all versions of macOS - including macOS Big Sur - allows malicious actors to embed emails with the help of a few simple files. remote code. Via Apple Mail or any other email app.
Minchan says this is possible due to a flaw in how macOS manages internet location (inetloc) files, making any inline commands difficult. These bookmarks are usually used throughout the system to open online resources or local files, but in this case, attackers can use them to execute malicious code on the Mac without warning or prompting the user.
This can be done by changing the preview link in the inetloc file to "file://" and all it takes is a user click. Apple tried to fix this bug in macOS Big Sur, but did so quietly without specifying a CVE, ignoring the fact that using "file://" or "fIle://" (for simplicity of value manipulation) could work. as well as "file://."
Minchan has reported the matter to the company but has yet to respond. In the meantime, all you can do is avoid opening email attachments with the "inetloc" extension.
Zero day flaw allows remote code execution even on fully patched Macs