Apple recently fixed a critical vulnerability in macOS that allows hackers to execute arbitrary code through email attachments. Unfortunately, this patch is sloppy and extremely easy to get around. Mac owners should avoid opening email attachments with the inetloc extension until Apple releases a suitable fix.
Internet shortcut files, called inetloc files on macOS, are intended to redirect users to web pages. You can create an inetloc file by dragging a URL onto your desktop, for example. But due to a bug in macOS, hackers can embed usable code into inetloc files. This code runs without warning when an affected file is opened, providing an easy way to attack macOS users via email.
Programming the exploit requires little computer experience. See, inetloc files contain URLs, which usually start with http: // Where https: //. But an oversight from Apple leaves inetloc files pointing to to file:// locations within your computer system. A small line of code in an inetloc file could allow a hacker to run malicious software or payloads on your system.
Researcher Park Minchan discovered the feat earlier this week. Apple quickly released a patch after the vulnerability was reported by SSD Secure Disclosure, although several technical outlets and security experts find that this fix is not sufficient.
As reported by Ars Technica, the emergency patch released by Apple prevents macOS from running inetloc files that start with a to file:// prefix. But the patch is case sensitive. Replacement of any part of to file:// with a capital letter completely bypasses the fix.
This is the work of an Apple hobbyist. This is the kind of solution you would expect from a small business intern. And frankly, it’s a worrying sign that Apple isn’t taking security as seriously as it claims. Guess that’s why we haven’t seen the “what happens on your iPhone stays on your iPhone” billboard in a while.