macOS has an unpatched Finder vulnerability that hackers can use to run arbitrary commands

Apple makes much of the security of its products, but vulnerabilities are certainly not unknown. SSD Secure Disclosure has revealed details of a zero-day flaw affecting Finder in macOS. It can be exploited to run arbitrary commands without displaying any messages, prompts or warnings.

The vulnerability was discovered by independent security researcher Park Minchan, and it is present in macOS Big Sur and earlier. The flaw relates to the way macOS processes .inetloc (internet location) files and Apple has made a poor, easily circumvented attempt to fix it in the most recent version of its Mac operating system.

In a write-up about the flaw, SSD Secure Disclosure warns that the security flaw "allows remote attackers to trick users into running arbitrary commands".

The disclosure site writes: "A vulnerability in macOS Finder allows files whose extension is inetloc to execute arbitrary commands, these files can be embedded inside emails which if the user clicks on them will execute the commands embedded inside them without providing a prompt or warning to the user".

What is interesting is that Apple apparently tried to fix the problem, but not only failed to assign it a CVE, but also implemented a fix that is very easy to get around as SSD Secure Disclosure explains:

The vendor has been notified us that file:// has been silently patched the vulnerability in Big Sur and has not assigned it a CVE. We have notified Apple that FiLe:// (just mangling the value) doesn’t appear to be blocked, but have not received any response from them since the report has been made. As far as we know, at the moment, the vulnerability has not been patched.

The video below shows a demonstration of an attack in action: