Every Mac can be hacked by this new flaw, and there's no fix yet

News
By published

Malicious code in a certain kind of file activates without warning

MacBook Pro 2021
(Image credit: Future)

A newly disclosed flaw lets attackers hijack fully updated Macs simply by putting certain kinds of URLs in an email attachment.

The flaw, reported earlier by Bleeping Computer, abuses the handling of "inetloc" files, a Mac file format that contains a link to an internet location such as a website or other server.

Independent security researcher Park Minchan found that prefacing a link in an inetloc file with "file://" instead of "http://" or "https://" made it possible to run arbitrary code on — i.e. hack — any Mac running fully updated macOS 11.6 Big Sur. (The "file://" prefix specifies a file on the local PC.)

"These files can be embedded inside emails which, if the user clicks on them, will execute the commands embedded inside them without providing a prompt or warning to the user," said an unsigned  posting today (Sept. 21) on the SSD-Disclosure bug-reporting website.

Apple did apparently patch the flaw so that "file://" can no longer be abused using this flaw. However, Park found that switching up the letter cases so that the prefix read "File://" or "fIle://" still worked. (URLs are generally case-insensitive, so "hTTpS://tomsGUIde.coM" will work just as well as "https://tomsguide.com".)

This might look like a zero-day flaw, yet it's more like a flaw that Apple knew about but didn't properly patch. Tom's Guide has sent an email to Apple seeking comment but hasn't yet received a response.

"We have notified Apple that FiLe:// (just mangling the value) doesn't appear to be blocked, but have not received any response from them since the report has been made," said the SSD-Disclosure posting. "As far as we know, at the moment, the vulnerability has not been patched."

How you can avoid this

Bleeping Computer tried out the eight-line proof-of-concept exploit provided at the end of the posting and confirmed that it did indeed work on macOS Big Sur. Tom's Guide has not had a chance to try out the exploit.

For now, the only way to avoid this kind of attack is to not open email attachments you don't expect. As of this writing, none of the antivirus malware-detection engines on VirusTotal flagged the proof-of-concept code as malicious.

See more Computing News
TOPICS
Paul Wagenseil
Paul Wagenseil

Paul Wagenseil is a senior editor at Tom's Guide focused on security and privacy. He has also been a dishwasher, fry cook, long-haul driver, code monkey and video editor. He's been rooting around in the information-security space for more than 15 years at FoxNews.com, SecurityNewsDaily, TechNewsDaily and Tom's Guide, has presented talks at the ShmooCon, DerbyCon and BSides Las Vegas hacker conferences, shown up in random TV news spots and even moderated a panel discussion at the CEDIA home-technology conference. You can follow his rants on Twitter at @snd_wagenseil.

Read more
A padlock resting next to the Apple logo on the lid of a gold-colored Apple laptop.
Mac and iPhone users beware — Apple processors can be exploited to steal sensitive information
MacBook Pro 2021 (16-inch) on a patio table
Macs under attack from dangerous malware targeting digital wallets and Apple’s Notes app — how to stay safe
Malware
New macOS malware uses Apple's own code to quietly steal credentials and personal data — how to stay safe
MacBook Pro 16-inch 2021 sitting on a patio table
Critical macOS flaw puts your data and cameras at risk — update right now
MacBook Pro 2023
New Mac attack is tricking users into thinking their computer is locked — how to stay safe
Find My iPhone
Apple Find My hack turns any Bluetooth device into a secret AirTag — what we know
Latest in Online Security
A magnifying glass on top of the Steam logo in a web browser
Valve just pulled a malicious game demo spreading info-stealing malware from Steam
A man filing his taxes electronically on a laptop
AI-powered tax scams are here - how to stay safe from deepfakes, phishing and more this tax season
MacBook Pro 2023
New Mac attack is tricking users into thinking their computer is locked — how to stay safe
Hacker using a stolen social security card
Your Social Security number is a literal gold mine for scammers and identity thieves — here’s how to keep it safe
An open lock depicting a data breach
Half a million teachers hit in major data breach with SSNs, financial data and more exposed — what to do now
Green skull on smartphone screen.
Malicious Android apps with 60 million installs bombarding phones with ads and phishing attacks — how to stay safe
Latest in News
Ray-Ban Meta Smart Glasses
Samsung’s smart glasses could arrive before the end of the year — what we know
Galaxy S25 Ultra Now brief
Samsung’s Personal Data Engine is a big addition to the Galaxy S25 — here’s why
Apple Watch Series 10
Future Apple Watch models could get a surprising new feature — what we know
NYTimes Connections
NYT Connections today hints and answers — Monday, March 24 (#652)
NYT Strands on a cellphone
NYT Strands today — hints, spangram and answers for game #386 (Monday, March 24 2025)
iPhone 16 Pro vs iPhone 16 Pro Max in hand showing displays
Forget iPhone 17 — iPhone 18 could get this huge upgrade
More about online security
A man filing his taxes electronically on a laptop

AI-powered tax scams are here - how to stay safe from deepfakes, phishing and more this tax season
Hacker using a stolen social security card

Your Social Security number is a literal gold mine for scammers and identity thieves — here’s how to keep it safe
AirPods 4 on a wooden table with the Amazon Spring Sale Deals badge

Don't miss! AirPods crash to their lowest price with massive 22% discount in the Amazon Spring Sale
See more latest
1 Comment Comment from the forums
  • EasyGoing1
    Hard to really call this an "exploit" seeing as how the user would have to deliberately download the attachment, then click on the link to run it. And if they do, then I consider any damage done to be their own fault. Main thing to take away from this article is ALWAYS make sure you have your data backed up in at least two places ... TimeMachine and a cloud based service.
    Reply
Most Popular
Magician David Blaine covered in bees in a scene from his new TV series, David Blaine: Do Not Attempt 2025
How to watch 'David Blaine: Do Not Attempt' online from anywhere
Ray-Ban Meta Smart Glasses
Samsung’s smart glasses could arrive before the end of the year — what we know
Galaxy S25 Ultra Now brief
Samsung’s Personal Data Engine is a big addition to the Galaxy S25 — here’s why
Parker Posey in Party Girl
We’re in the midst of a Parker Posey renaissance — which means you should watch this cult classic on Hulu
Garrett (Sebastian De Souza) and Alex (Sofia Carson) (L-R) holding hands in Netflix's "The Life List"
I watch Netflix for a living — these are the 5 new shows and movies to stream this week (March 24-30)
Bosch: Legacy; Survival of the Thickest; The Studio
7 top new TV shows to stream this week on Netflix, Apple TV and more (March 24-30)
NYTimes Connections
NYT Connections today hints and answers — Monday, March 24 (#652)
NYT Strands on a cellphone
NYT Strands today — hints, spangram and answers for game #386 (Monday, March 24 2025)
Apple Watch Series 10
Future Apple Watch models could get a surprising new feature — what we know
The new Husqvarna iQ series robot lawn mower.
Husqvarna’s new robot mowers offer GPS for less