Zero-day Remote Code Execution in Apple macOS Finder

SSD Disclosure has published a security advisory for a zero-day in Apple macOS Finder that could allow an attacker to execute code on the target operating system. The vulnerability exists because Finder allows inetloc files, Apple-specific shortcuts for internet locations, to run embedded commands without warnings or prompts. The advisory indicates that the most likely attack vector is for attackers to send a malicious inetloc file as an email attachment.

According to the researcher who reported the vulnerability via SSD Secure Disclosure, Apple attempted to silently patch the vulnerability in macOS Big Sur, but that patch is insufficient to fix this flaw. Simply by altering the case of the target value (i.e. changing file:// to FiLe://), an attacker can still exploit the vulnerability.

We will continue to monitor this vulnerability and provide updates as they become available.