An unpatched vulnerability in macOS Finder on macOS Big Sur and earlier allows files with inetloc (internet location files, such as RSS feed or telnet locations) extensions to execute arbitrary code on a device. An adversary could embed commands within the file and trick end users into opening (and executing without warning the user) the file via email, one of the most popular attack vectors.
According to the security researcher who discovered the vulnerability, Apple already blocked the “file://” prefix in Big Sur, however other variations, such as “fiLe://” still allow for remote code execution (RCE). No remediation steps nor patch information have been published as of yet.
At this time, AV products likely will not block execution, so don’t count on that. A layered defense strategy is important to identify potentially anomalous behavior if a user opens a malicious file.
macOS Big Sur and earlier versions are affected by the vulnerability.
About Automox Automated IT Operations
Today’s IT leaders deserve better than tedious legacy tools to manage their infrastructure. From our single cloud-native platform, automate and scale your IT operations to meet the growing business demands of the modern workforce. With complete visibility of your entire environment, you can easily monitor, identify, and respond to issues in real-time across any endpoint, regardless of OS or location.
Demo Automox to see how you can immediately gain effortless command of your endpoints.