Security researchers have published a new zero-day bug in Apple’s macOS Finder system. This could allow a malicious attacker to execute arbitrary commands on a Mac running all versions of macOS, including the latest Big Sur edition.
The SSD Secure Disclosure Advisory released this week pointed out that there is a vulnerability in the way macOS Finder handles it. .inetloc File.
Apple specific .inetloc The file acts as a shortcut to an internet location such as an RSS feed or Telnet location. It is also used to open a document locally on a Mac in a browser using the “file: //” format.
Causes of newly discovered bugs, according to researchers inetloc A file that first executes an arbitrary command without displaying the prompt to the user.
In exploit scenarios, attackers may create special inetloc A file containing malicious commands. These files can be included in email messages as attachments, which, when clicked, execute the embedded malicious code locally.
This bug was discovered by Park Minchan, an independent cybersecurity researcher who reported to SSDs.
SSD warned Apple about the vulnerability, and the company applied a silent patch without issuing a CVE identification number.
However, according to researchers, the fix was flawed because it partially addressed the issue and failed to provide full protection.
They pointed out that using mangled values, such as FiLe: // in the file execution routine, could exploit the bug.
‘The new version of macOS (from Big Sur) blocked the file: // prefix (in com.apple.generic-internet-location), but due to case matching, File: // or fIle: // “Bypassed Check” and SSD Advisory have been added.
It’s unclear if zero-days are actually being used, but it’s clear that malicious attackers will use the vulnerability to deliver malicious payloads to Mac users in the coming days.
Apple Security Update iOS 12.5.5
This week, Apple also released an emergency software update, iOS 12.5.5, to fix bugs on older iPhone, iPad, and iPod touch models. According to the company, iOS 12.5.5 offers important security updates and improvements and is “recommended for all users.”
According to Apple, the new security update for iOS 12.5.5 fixes CVE-2021-30858 (WebKit issue), CVE-2021-30860 (CoreGraphics issue), and CVE-2021-30869 (XMU issue). is included.
iOS 12.5.5 is available on iPad mini 2, iPad mini 3, iPad Air, iPhone 5s, iPhone 6, iPhone 6 Plus, and 6th generation iPod touch. All of these devices have been removed from support for iOS 13, but Apple continues to provide important security updates. In June, Apple released iOS 12.4, which fixed WebKit vulnerabilities and various other issues.
iPhone makers have a share of security bugs this year, including zero-day attacks.
In July, the company released an updated version of the iOS mobile operating system. It is a patch of a security vulnerability indexed as CVE-2021-30807 under active attack.
Earlier this month, Apple released a series of new updates for iOS, watchOS, and macOS that fixed a critical bug that the infamous spyware NSOPegasus exploited to spy on Saudi activists.
New macOS zero-day vulnerability allows cyber attackers to execute arbitrary commands
Source link New macOS zero-day vulnerability allows cyber attackers to execute arbitrary commands