New vulnerability in macOS Finder allows an attacker to remotely execute commands

vulnerability in macOS Finder
Written by Emma Davis

The researcher found a vulnerability in the macOS Finder, which allows an attacker to run commands on Mac computers with any version of macOS (up to the latest version of Big Sur). There is no patch for this problem yet.

The vulnerability was discovered by independent information security expert Park Minchan, and it is related to the way macOS handles .inetloc files (Internet location files). .inetloc files are system-wide bookmarks that can be used to open various network resources (news://, ftp://, afp://) and local files (file://). As a result, these files force the OS to run any commands embedded by the attacker without any warnings or prompts.

Such files can be embedded in emails, which, if the user clicks on them, will execute the inline commands without displaying a prompt or warning.warns SSD Secure Disclosure.

While Apple tried to fix the problem without assigning the CVE ID to the vulnerability, Minchan noted that the company’s patch only partially fixed the problem, and the vulnerability can still be exploited by changing the protocol used to execute inline commands from file:// to FiLe://.

vulnerability in macOS Finder

In newer versions of macOS (Big Sur) the file:// prefix is blocked (in, but due to problems with the File:// or fIle:// case, checks are bypassed. says the expert.

Although Minchan has already informed Apple of his findings, he has not received a response from the company, and the vulnerability has not yet been fixed.

Bleeping Computer has tested a PoC exploit provided by the researcher and confirms that the vulnerability can be used to run arbitrary commands in macOS Big Sur.

It is noted that attackers can abuse this bug, for example, to create malicious email attachments that will launch payloads upon opening.

An .inetloc file with the PoC code was not detected by any of the antimalware engines on VirusTotal which means that macOS users potentially targeted by threat actors using this attack method won’t be protected by security software.Bleeping Computer writes.

Let me remind you that we recently reported that on the day of the release of iOS 15, expert showed how to bypass the lock screen.

User Review
0 (0 votes)
Comments Rating 0 (0 reviews)

About the author

Emma Davis

I'm writer and content manager (a short time ago completed a bachelor degree in Marketing from the Gustavus Adolphus College). For now, I have a deep drive to study cyber security.

Leave a Reply