Security researchers have published a new zero-day bug in Apple’s macOS Finder system. This could allow a malicious attacker to execute arbitrary commands on Macs running all versions of macOS, including the latest Big Sur version.
The SSD Secure Disclosure advisory released this week reported that there is a vulnerability in the way macOS Finder handles it. .inetloc file.
apple specific .inetloc The file acts as a shortcut to an Internet location such as an RSS feed or Telnet location. It is also used to open a document locally on a Mac in a browser using the “file://” format.
Due to newly discovered bugs, according to researchers inetloc A file that executes an arbitrary command without first displaying a prompt to the user.
In exploit scenarios, attackers can create special inetloc File containing malicious commands. These files can be included in email messages as attachments which, when clicked, execute the embedded malicious code locally.
The bug was discovered by Park Minchen, an independent cybersecurity researcher who reported to SSD.
SSD warned Apple about the vulnerability, and the company applied a silent patch without issuing a CVE identification number.
However, according to the researchers, the fix was flawed as it partially addressed the issue and failed to provide full protection.
He pointed out that using tangled values in file execution routines, such as FiLe://, could exploit bugs.
‘ Newer versions of macOS (from Big Sur) blocked the file:// prefix (in com.apple.generic-internet-location), but because of case matching, file:// or fIle://” bypasses Check” and SSD advisory has been added.
It’s not clear exactly what zero-days are being used, but it is clear that malicious attackers will use the vulnerability to distribute malicious payloads to Mac users in the coming days.
Apple Security Update iOS 12.5.5
This week, Apple also released iOS 12.5.5, an emergency software update to fix bugs on older iPhone, iPad, and iPod touch models. According to the company, iOS 12.5.5 offers important security updates and improvements and is “recommended for all users”.
According to Apple, the new security update for iOS 12.5.5 fixes CVE-2021-30858 (WebKit issue), CVE-2021-30860 (CoreGraphics issue), and CVE-2021-30869 (XMU issue). is included.
iOS 12.5.5 is available on the iPad mini 2, iPad mini 3, iPad Air, iPhone 5S, iPhone 6, iPhone 6 Plus and the sixth generation iPod touch. All of these devices have been removed from support for iOS 13, but Apple continues to provide important security updates. In June, Apple released iOS 12.4, which fixed WebKit vulnerabilities and several other issues.
iPhone makers have had their share of security bugs this year, including zero-day attacks.
In July, the company released an updated version of the iOS mobile operating system. This is a patch of security vulnerability indexed as CVE-2021-30807 under active attack.
Earlier this month, Apple released a series of new updates for iOS, watchOS and macOS that fixed a critical bug that the infamous spyware Nsopegasus exploited to spy on Saudi activists.
New macOS zero-day vulnerability allows cyber attackers to execute arbitrary commands
Source link New macOS zero-day vulnerability allows cyber attackers to execute arbitrary commands