Security researchers have published a new zero-day bug in Apple’s macOS Finder system. This could allow a malicious attacker to execute arbitrary commands on a Mac running all versions of macOS, including the latest edition of Big Sur.
The SSD Secure Disclosure Advisory released this week pointed out that there is a vulnerability in the way macOS Finder handles it. .inetloc To file.
Apple specific .inetloc The file acts as a shortcut to an Internet location such as an RSS feed or a Telnet location. It also allows you to locally open a document on a Mac in a browser in “file: //” format.
Causes of newly discovered bugs, researchers say inetloc A file that first executes an arbitrary command without displaying the prompt to the user.
In exploitation scenarios, attackers can create inetloc A file containing malicious commands. These files can be included in email messages as attachments which, when clicked, execute locally embedded malicious code.
This bug was discovered by Park Minchan, an independent cybersecurity researcher who reported on SSDs.
SSD alerted Apple to the vulnerability, and the company applied a silent patch without issuing a CVE ID number.
However, according to the researchers, the fix was flawed because it partially fixed the issue and did not provide full protection.
They pointed out that using mutilated values, such as FiLe: // in the file execution routine, could exploit the bug.
“The new version of macOS (from Big Sur) blocked the file: // prefix (in com.apple.generic-internet-location), but due to the case matching, File: // or file: / / “Bypass Control” and SSD Advisory have been added.
It is not known whether zero days are actually used, but it is clear that malicious attackers will use the vulnerability to deliver malicious payloads to Mac users in the coming days.
Apple iOS 12.5.5 Security Update
This week, Apple also released an emergency software update, iOS 12.5.5, to fix bugs on older models of iPhone, iPad, and iPod touch. According to the company, iOS 12.5.5 offers significant updates and security enhancements and is “recommended for all users.”
According to Apple, the new security update for iOS 12.5.5 fixes CVE-2021-30858 (WebKit issue), CVE-2021-30860 (CoreGraphics issue), and CVE-2021-30869 (XMU issue). is included.
iOS 12.5.5 is available on iPad mini 2, iPad mini 3, iPad Air, iPhone 5s, iPhone 6, iPhone 6 Plus, and 6th generation iPod touch. All of these devices have been removed from support for iOS 13, but Apple continues to provide important security updates. In June, Apple released iOS 12.4, which fixed vulnerabilities in WebKit and various other issues.
IPhone makers have a share of security bugs this year, including zero-day attacks.
In July, the company released an updated version of the iOS mobile operating system. This is a fix for an indexed security vulnerability like CVE-2021-30807 under active attack.
Earlier this month, Apple released a slew of new updates for iOS, watchOS, and macOS that fixed a critical bug that infamous NSOPegasus spyware exploited to spy on Saudi activists.
New macOS zero-day vulnerability allows cyber attackers to execute arbitrary commands
Source link New macOS zero-day vulnerability allows cyber attackers to execute arbitrary commands