A new Zero Day vulnerability in macOS has been discovered. The flaw impacts all macOS versions up to the latest release Big Sur. The bug was found by Park Minchan an independent security researcher and is tied to the way that macOS processes inteloc files. The processing methodology allows an attacker to embed malicious commands which the system will execute without any warnings or prompts visible to the user of the targeted machine.
Interloc is short for "internet location files" and have the extension "*.interloc"
A recently published SSD Secure Disclosure advisory had this to say about the newly discovered flaw:
"A vulnerability in macOS Finder allows files whose extension is inetloc to execute arbitrary commands. These files can be embedded inside emails which if the user clicks on them will execute the commands embedded inside them without providing a prompt or warning to the user."
In this particular instance Apple botched the fix quietly patching the issue without assigning it a CVE identification number.
Unfortunately the fix was only partial and at present the bug can still be exploited in some instances as described below:
"Newer versions of macOS (from Big Sur) have blocked the file:// prefix (in the com.apple.generic-internet-location) however they did a case matching causing File:// or fIle:// to bypass the check. We have notified Apple that FiLe:// (just mangling the value) doesn't appear to be blocked, but have not received any response from them since the report has been made. As far as we know, at the moment, the vulnerability has not been patched."
Park Minchan developed a proof of concept that demonstrates how the bug could be exploited but to date no threat actors have been discovered exploiting the flaw in the wild. It is just a matter of time however. A flaw like this represents a serious weakness in the security of the OS.
Be aware that the easiest way to exploit the bug is via malicious links embedded in emails so make sure your employees are aware of the risks.