Mac shortcut bug can take over machine; Apple patch unsuccessful

A Mac shortcut bug can enable an attacker to take over your machine when you open an email, using nothing more than a standard internet shortcut file.

Apple claims to have patched the bug in Big Sur and Monterey, but the security researcher who discovered the issue says that this is only partly true.

Arstechnica explains how it works.

A code execution bug in Apple’s macOS allows remote attackers to run arbitrary commands on your device. And the worst part is, Apple hasn’t fully patched it yet, as tested by Ars.

Independent security researcher Park Minchan has discovered a vulnerability in the macOS that lets threat actors execute commands on your computer. Shortcut files that have the inetloc extension are capable of embedding commands inside. The flaw impacts macOS Big Sur and prior versions.

“A vulnerability in the way macOS processes inetloc files causes it to run commands embedded inside, the commands it runs can be local to the macOS allowing the execution of arbitrary commands by the user without any warning / prompts,” explains Minchan. “Originally, inetloc files are shortcuts to an Internet location, such as an RSS feed or a telnet location; and contain the server address and possibly a username and password for SSH and telnet connections; can be created by typing a URL in a text editor and dragging the text to the Desktop” […]

Internet shortcuts are present in both Windows and macOS systems. But this specific bug adversely impacts macOS users, especially those who use a native email client like the “Mail” app.

For example, opening an email that contains an inetloc attachment via the “Mail” app will trigger the vulnerability without warning. 

Minchan explains more, for those not familiar with this type of internet shortcut.

Originally, inetloc files are shortcuts to an Internet location, such as an RSS feed or a telnet location; and contain the server address and possibly a username and password for SSH and telnet connections; can be created by typing a URL in a text editor and dragging the text to the Desktop.

The case here inetloc is referring to a file:// “protocol” which allows running locally (on the user’s computer) stored files.

Minchan warned Apple about the vulnerability, and the company issued a patch. However, the patch turns out to be case-sensitive, so it successfully blocks URLs beginning file:// but not mixed-case ones (which run in exactly the same way) like FiLe://.

The vendor has been notified us that file:// has been silently patched the vulnerability in Big Sur and has not assigned it a CVE. We have notified Apple that FiLe:// (just mangling the value) doesn’t appear to be blocked, but have not received any response from them since the report has been made. As far as we know, at the moment, the vulnerability has not been patched.

Ars verified this on a patched machine, using a demo that opens the Calculator app.

FTC: We use income earning auto affiliate links. More.