Security researchers disclosed today a new vulnerability in Apple's macOS Finder, which makes it possible for attackers to run arbitrary commands on Macs running any macOS version up to the latest release, Big Sur. Zero-days are publicly disclosed flaws that haven't been patched by the vendor which, in some cases, are also actively exploited by attackers or have publicly available proof-of-concept exploits.
The bug, found by independent security researcher Park Minchan, is due to the way macOS processes inetloc files which inadvertently causes it to run any commands embedded by an attacker inside without any warnings or prompts.
On macOS, Internet location files with .inetloc extensions are system-wide bookmarks that can be used to open online resources (news://, ftp://, afp://) or local files (file://).
"A vulnerability in macOS Finder allows files whose extension is inetloc to execute arbitrary commands," SSD Secure Disclosure advisory published today revealed.
"These files can be embedded inside emails which if the user clicks on them will execute the commands embedded inside them without providing a prompt or warning to the user."