Internet shortcuts have the ability to execute code. The latest Mac is not fully patched.
macOS Code Execution Error Apple allows remote attackers to execute arbitrary commands on your device. And the worst part is that Apple hasn't fully patched it yet, as tested by Ars.
These Shortcuts Can Take Over Your Mac
Independent security researcher Park Minchan has discovered a vulnerability in macOS that allows threat actors to execute commands on your computer. Shortcut files with the inetloc extension can put commands inside. This defect affects macOS Big Sur and earlier versions.
"A vulnerability in how macOS handles inloc files causes inline commands to be executed. The commands it executes can be randomly running place for macOS. Minchan explains that user commands without any warning/request "" basically, inetloc files are shortcuts to an Internet site such as an RSS feed or telnet site; connections are SSH and Telnet; they can be created by typing a URL into a text editor and dragging the text to the desktop."
Internet shortcuts are found on Windows and macOS. But these specific errors negatively affect macOS users, especially those who use a native email client like Mail.
For example, opening an email with an inetloc attachment via the "Mail" application causes an undisclosed vulnerability in the test email under "test.inetloc" shortcut file, click this machine Calculator running on macOS:Zoom in/attach 'inetloc' when viewed via macOS Mail.Ax Sharma is weak
The reason for the vulnerability is very simple. Usually Internet shortcut file contains a URL. But what if you enter the URL "File://"? Now you can try it on your Mac. Equivalent file: // location in the address bar, Internet shortcuts or inetloc files can be easily created to show addresses URL of "file://" vs HTTP URLs.
Although Apple is aware of the error and starts with Big Sur, include file: // URLs can be changed in Internet shortcuts in-text, block bypass :
"Newer versions of macOS (from Big Sur) have banned the file:// prefix (explained in Minchan).
I tested this theory on my macOS. Big Sur 11.3.1 uses the proof-of-concept (PoC) code provided by Minchan and can verify that the error has not been completely debugged:Magnification / Bug Proof macOS RCE that contains the code to run the calculator program.
This snippet, which contains only eight lines of code, is what the calculator showed above. But any skilled threat player can modify this test code to fully execute the malicious code on the victim device.
Apple Mac users are warned to be careful when opening .inloc Internet shortcuts, especially those in email attachments.
Patched macOS vulnerability allows remote attackers to execute code
At least since 2019, popular YouTube channels have been tak...
Britain's COVID Pass card system was suspended for hours o...
Several Visible Wireless subscribers reported having their accounts ...
This is the story of the mastermind behind one of the largest "fake news" op...
Twitch's live video streaming service has been hacked and 125GB...