Finder Vulnerability in all macOS Versions Allows Code Execution

Security researchers chimed in with a newly discovered vulnerability in macOS. The issue affects all macOS versions, up to and including the most current Big Sur release.

The vulnerability in question is related to the Finder component of the Apple OS. Finder is the system GUI component of Macs that handles files, app launching and the management of drives, a bit similar to how Explorer works on Windows systems.

The vulnerability affects the way Finder handles Apple-specific .inetloc files. Those are similar to web shortcut files used on Windows machines and are usually used to link to sites and services, such as RSS feeds. Another functionality of the .inetloc files is the ability to link to local documents stored on system drives, by swapping the http:// component with file://.

Security researchers discovered that malicious actors could create doctored files to be used as attachments in malspam emails. Upon being convinced to open such a file, the victim would allow quiet code execution on their system, enabled by commands embedded in the malicious .inetloc file.

After the issue was originally discovered and reported through the SSD Secure Disclosure service, Apple were quick to issue a hotfix, even though the company chose not to file a CVE entry for the vulnerability. The thing is, according to security researchers, the patch did not take care of the problem, due to the way the fix was implemented.

The patch handled the vulnerability using case-sensitive matching, which means that while the string 'file://' would no longer work, capitalizing any of the letters of the word "file" would still enable malicious use.

There is no hard information about whether this vulnerability has already been exploited in the wild. Security news outlet ThreatPost also stated that they did not receive a reply from Apple when contacting them about the issue, which is, as of the time of this writing, still unpatched and affecting virtually all versions of macOS that are currently in use.

September 23, 2021