Do not open any email attachments until you have finished reading this.
A security researcher found that Apple has only partially fixed a security flaw affecting all versions of macOS. The company tried to fix the problem silently but failed to do so, leaving millions of Macs vulnerable to remote code execution without any warning or prompt.
Apple has been doing a good job of patching various macOS security vulnerabilities as of late, but there’s at least one that is proving harder to fix than the Cupertino giant had anticipated.
According to independent researcher Park Minchan, the zero-day flaw is present in all versions of macOS — including macOS Big Sur — and allows a malicious actor to execute arbitrary code remotely with the help of some simple files embedded in emails received via Apple Mail or any other email app.
Minchan says this is possible due to a bug in how macOS handles Internet location (inetloc) files which causes it to run any commands embedded inside. Normally, these are system-wide bookmarks used to open online resources or local files, but in this case, they can be used by an attacker to execute malicious code on the target Mac without any warnings or prompts being displayed to the user.
This is accomplished by replacing the prefacing link in an inetloc file with “file:/,” and the exploit can be carried out with a single click from the user. Apple attempted to patch the flaw in macOS Big Sur, but it did so silently without assigning it a CVE and ignored the fact that using “File:/” or “fIle:/” (simply changing the value) works just as well as “file:/.”
Minchan notified the company about the issue but has yet to hear back. In the meantime, the only thing you can do is to refrain from opening email attachments that have the “inetloc” extension.