While macOS is a very secure operating system, malware can get through, especially if users are opening unsafe or unknown files. One such vulnerability was recently discovered that could allow an attacker to control a Mac running any macOS version up to Big Sur simply by clicking on an email attachment.
Researcher Park Minchan (via Bleeping Computer) found that files that have the inetloc extension can be used to exploit a vulnerability in the macOS Finder. In a blog post on SSD Secure Disclosure, Minchan reports that inetoc files “can be embedded inside emails which if the user clicks on them will execute the commands embedded inside them without providing a prompt or warning to the user.” As SSD Secure Disclosure explains, if the inetloc file is attached to an email, opening the attachment “will trigger the vulnerability without warning.”
Originally, inetloc files are shortcuts to an Internet location, such as an RSS feed or a telnet location; and contain the server address and possibly a username and password for SSH and telnet connections; can be created by typing a URL in a text editor and dragging the text to the Desktop.
According to Minchan, Apple attempted to previously fix the issue in Big Sur, but it doesn’t appear to have fully plugged the hole. Apple blocked the file:// prefix to stop this from happening, but he says an attacker can simply modify the prefix so it is not case matched —for example, File:// is not blocked. Apple has not responded to inquiries regarding the vulnerability nor has it posted information related to the initial security update.
This is a good opportunity to remind users to not open message attachments from unknown sources—and to be especially cautious when opening attachments that have been forwarded to you by an unknown source.