New macOS zero-day vulnerability allows cyber actors to execute arbitrary commands
Apple has also released an urgent software to fix bugs in older iPhones, iPads and iPods
Security researchers have disclosed a new zero-day bug in Apple's macOS Finder system which could allow malicious actors to run arbitrary commands on Macs running all versions of macOS, including the latest Big Sur edition.
A SSD Secure Disclosure advisory published this week noted that the vulnerability exists in the way macOS Finder processes .inetloc files.
Apple-specific .inetloc files serve as shortcuts to internet locations, such as an RSS feed or a telnet location. They are also used to open documents locally on a Mac within a browser using the "file://" format.
According to researchers, the newly-discovered bug causes inetloc files to run arbitrary commands without first prompting the user.
In an exploit scenario, an attacker could specially craft inetloc file to contain malicious commands. These files can then be included in an email message as attachments which, if clicked, will run the embedded malicious code locally.
The bug was found by independent cybersecurity researcher Park Minchan who reported it to SSD.
SSD alerted Apple about the vulnerability, and the company silently patched it without issuing a CVE identification number.
However, the fix was flawed, as it partially addressed the issue and failed to provide complete protection, according to researchers.
They noted that the bug can still be exploited by using a mangled value, like FiLe:// in the file's execution routine.
'Newer versions of macOS (from Big Sur) have blocked the file:// prefix (in the com.apple.generic-internet-location), however they did a case matching causing File:// or fIle:// to bypass the check,' the SSD advisory added.
It is unclear if the zero-day has been used in the wild, but it is evident that malicious actors would try to leverage the vulnerability in coming days to deliver malicious payloads to Mac users.
Apple security update iOS 12.5.5
This week, Apple also released an urgent software update iOS 12.5.5 to fix bugs on older iPhones, iPads, and iPod touch models. The company said that iOS 12.5.5 provides important security updates and improvements, and 'is recommended for all users'.
According to Apple, the new security updates in iOS 12.5.5 include fixes for CVE-2021-30858 (WebKit issue), CVE-2021-30860 (CoreGraphics issue), and CVE-2021-30869 (XMU issue).
iOS 12.5.5 is available for the iPad mini 2, iPad mini 3, and iPad Air, as well as the iPhone 5s, iPhone 6, iPhone 6 Plus and 6th gen iPod touch. All these devices have been dropped from support with iOS 13, although Apple has continued to provide important security updates for them. In June, Apple released iOS 12.4 with fixes for WebKit vulnerabilities and a variety of other issues.
The iPhone maker has had its share of security bugs, including zero days, this year.
In July, the company released an updated version of the iOS mobile operating system which patched a security vulnerability, indexed as CVE-2021-30807, under active attack.
Earlier this month, Apple released a suite of new updates for iOS, watchOS and macOS to fix a critical bug that was exploited by notorious spyware NSO Pegasus to spy on a Saudi activist.