Every Mac can be hacked by this new flaw, and there's no fix yet
Malicious code in a certain kind of file activates without warning
A newly disclosed flaw lets attackers hijack fully updated Macs simply by putting certain kinds of URLs in an email attachment.
The flaw, reported earlier by Bleeping Computer, abuses the handling of "inetloc" files, a Mac file format that contains a link to an internet location such as a website or other server.
- Thousands of Netgear routers can be hacked — here's what to do
- The best Mac antivirus software
- Plus: iPhone 13 Pro review: One of the best phones ever
Independent security researcher Park Minchan found that prefacing a link in an inetloc file with "file://" instead of "http://" or "https://" made it possible to run arbitrary code on — i.e. hack — any Mac running fully updated macOS 11.6 Big Sur. (The "file://" prefix specifies a file on the local PC.)
"These files can be embedded inside emails which, if the user clicks on them, will execute the commands embedded inside them without providing a prompt or warning to the user," said an unsigned posting today (Sept. 21) on the SSD-Disclosure bug-reporting website.
Apple did apparently patch the flaw so that "file://" can no longer be abused using this flaw. However, Park found that switching up the letter cases so that the prefix read "File://" or "fIle://" still worked. (URLs are generally case-insensitive, so "hTTpS://tomsGUIde.coM" will work just as well as "https://tomsguide.com".)
This might look like a zero-day flaw, yet it's more like a flaw that Apple knew about but didn't properly patch. Tom's Guide has sent an email to Apple seeking comment but hasn't yet received a response.
"We have notified Apple that FiLe:// (just mangling the value) doesn't appear to be blocked, but have not received any response from them since the report has been made," said the SSD-Disclosure posting. "As far as we know, at the moment, the vulnerability has not been patched."
Sign up to get the BEST of Tom's Guide direct to your inbox.
Get instant access to breaking news, the hottest reviews, great deals and helpful tips.
How you can avoid this
Bleeping Computer tried out the eight-line proof-of-concept exploit provided at the end of the posting and confirmed that it did indeed work on macOS Big Sur. Tom's Guide has not had a chance to try out the exploit.
For now, the only way to avoid this kind of attack is to not open email attachments you don't expect. As of this writing, none of the antivirus malware-detection engines on VirusTotal flagged the proof-of-concept code as malicious.
Paul Wagenseil is a senior editor at Tom's Guide focused on security and privacy. He has also been a dishwasher, fry cook, long-haul driver, code monkey and video editor. He's been rooting around in the information-security space for more than 15 years at FoxNews.com, SecurityNewsDaily, TechNewsDaily and Tom's Guide, has presented talks at the ShmooCon, DerbyCon and BSides Las Vegas hacker conferences, shown up in random TV news spots and even moderated a panel discussion at the CEDIA home-technology conference. You can follow his rants on Twitter at @snd_wagenseil.
-
EasyGoing1 Hard to really call this an "exploit" seeing as how the user would have to deliberately download the attachment, then click on the link to run it. And if they do, then I consider any damage done to be their own fault. Main thing to take away from this article is ALWAYS make sure you have your data backed up in at least two places ... TimeMachine and a cloud based service.Reply