Even fully updated Macs can be hacked – what you need to know


A recently revealed flaw allows attackers to hijack fully updated Macs simply by putting certain types of URLs in an email attachment.

The flaw, reported earlier by Beeping computer, abuses the handling of “inetloc” files, a Mac file format that contains a link to an Internet location such as a website or other server.

Independent security researcher Park Minchan discovered that preceding a link in an inetloc file with “file: //” instead of “http: //” or “https: //” allowed executing arbitrary code on – that is, hack – any fully updated Mac running macOS 11.6 Big Sur. (The “file: //” prefix specifies a file on the local PC.)

“These files can be embedded in emails which, if the user clicks on them, will execute the commands embedded in them without providing a prompt or warning to the user,” an unsigned article said today. hui (September 21) on the SSD-Disclosure bug reporting site.

Apple apparently fixed the flaw so that “file: //” can no longer be abused using this flaw. However, Park found that changing the letterboxes to have the prefix “File: //” or “File: //” still worked. (URLs are generally case insensitive, so “hTTpS://tomsGUIde.coM” will work as well as “https://tomsguide.com”.)

It may look like a zero-day flaw, but it’s more of a flaw that Apple knew of but did not properly fix. Tom’s Guide has emailed Apple asking for comment, but has yet to receive a response.

“We have informed Apple that FiLe: // (just change the value) does not appear to be blocked, but we have not received any response from them since the report was made,” the SSD-Disclosure publication said. “As far as we know, at this time, the vulnerability has not been addressed.”

How can you avoid this

Bleeping Computer has tried the eight-line proof of concept exploit provided at the end of the post and has confirmed that it works fine on macOS Big Sur. Tom’s Guide did not have the opportunity to try the feat.

For now, the only way to avoid this type of attack is to not open the email attachments that you don’t expect. At the time of this writing, none of the anti-virus malware detection engines on VirusTotal reported the proof of concept code as malicious.

Source link


About Author

Comments are closed.