Skip to main content

Mac shortcut bug can take over machine; Apple patch unsuccessful

A Mac shortcut bug can enable an attacker to take over your machine when you open an email, using nothing more than a standard internet shortcut file.

Apple claims to have patched the bug in Big Sur and Monterey, but the security researcher who discovered the issue says that this is only partly true.

Arstechnica explains how it works.

A code execution bug in Apple’s macOS allows remote attackers to run arbitrary commands on your device. And the worst part is, Apple hasn’t fully patched it yet, as tested by Ars.

Independent security researcher Park Minchan has discovered a vulnerability in the macOS that lets threat actors execute commands on your computer. Shortcut files that have the inetloc extension are capable of embedding commands inside. The flaw impacts macOS Big Sur and prior versions.

“A vulnerability in the way macOS processes inetloc files causes it to run commands embedded inside, the commands it runs can be local to the macOS allowing the execution of arbitrary commands by the user without any warning / prompts,” explains Minchan. “Originally, inetloc files are shortcuts to an Internet location, such as an RSS feed or a telnet location; and contain the server address and possibly a username and password for SSH and telnet connections; can be created by typing a URL in a text editor and dragging the text to the Desktop” […]

Internet shortcuts are present in both Windows and macOS systems. But this specific bug adversely impacts macOS users, especially those who use a native email client like the “Mail” app.

For example, opening an email that contains an inetloc attachment via the “Mail” app will trigger the vulnerability without warning. 

Minchan explains more, for those not familiar with this type of internet shortcut.

Originally, inetloc files are shortcuts to an Internet location, such as an RSS feed or a telnet location; and contain the server address and possibly a username and password for SSH and telnet connections; can be created by typing a URL in a text editor and dragging the text to the Desktop.

The case here inetloc is referring to a file:// “protocol” which allows running locally (on the user’s computer) stored files.

Minchan warned Apple about the vulnerability, and the company issued a patch. However, the patch turns out to be case-sensitive, so it successfully blocks URLs beginning file:// but not mixed-case ones (which run in exactly the same way) like FiLe://.

The vendor has been notified us that file:// has been silently patched the vulnerability in Big Sur and has not assigned it a CVE. We have notified Apple that FiLe:// (just mangling the value) doesn’t appear to be blocked, but have not received any response from them since the report has been made. As far as we know, at the moment, the vulnerability has not been patched.

Ars verified this on a patched machine, using a demo that opens the Calculator app.

FTC: We use income earning auto affiliate links. More.

You’re reading 9to5Mac — experts who break news about Apple and its surrounding ecosystem, day after day. Be sure to check out our homepage for all the latest news, and follow 9to5Mac on Twitter, Facebook, and LinkedIn to stay in the loop. Don’t know where to start? Check out our exclusive stories, reviews, how-tos, and subscribe to our YouTube channel

Comments

Author

Avatar for Ben Lovejoy Ben Lovejoy

Ben Lovejoy is a British technology writer and EU Editor for 9to5Mac. He’s known for his op-eds and diary pieces, exploring his experience of Apple products over time, for a more rounded review. He also writes fiction, with two technothriller novels, a couple of SF shorts and a rom-com!


Ben Lovejoy's favorite gear

Manage push notifications

notification icon
We would like to show you notifications for the latest news and updates.
notification icon
You are subscribed to notifications
notification icon
We would like to show you notifications for the latest news and updates.
notification icon
You are subscribed to notifications