Every Mac can be hacked by this new flaw, and there's no fix yet

Every Mac tin can be hacked by this new flaw, and there's no set up yet

(Image credit: Future)

A newly disclosed flaw lets attackers hijack fully updated Macs just by putting certain kinds of URLs in an email attachment.

The flaw, reported earlier by Bleeping Computer, abuses the treatment of "inetloc" files, a Mac file format that contains a link to an net location such as a website or other server.

Thousands of Netgear routers can be hacked — hither's what to practise
The best Mac antivirus software
Plus: iPhone xiii Pro review: Ane of the all-time phones ever

Contained security researcher Park Minchan found that prefacing a link in an inetloc file with "file://" instead of "http://" or "https://" fabricated information technology possible to run arbitrary code on — i.e. hack — any Mac running fully updated macOS eleven.6 Big Sur. (The "file://" prefix specifies a file on the local PC.)

"These files can be embedded inside emails which, if the user clicks on them, will execute the commands embedded inside them without providing a prompt or warning to the user," said an unsigned posting today (Sept. 21) on the SSD-Disclosure problems-reporting website.

Apple did apparently patch the flaw so that "file://" can no longer be abused using this flaw. Notwithstanding, Park institute that switching upwardly the letter of the alphabet cases so that the prefix read "File://" or "fIle://" nevertheless worked. (URLs are generally case-insensitive, and so "hTTpS://tomsGUIde.coM" will work just besides equally "https://tomsguide.com".)

This might expect like a zero-twenty-four hours flaw, withal it'south more like a flaw that Apple knew about but didn't properly patch. Tom's Guide has sent an email to Apple seeking comment merely hasn't yet received a response.

"We have notified Apple that FiLe:// (simply mangling the value) doesn't appear to be blocked, but accept not received any response from them since the written report has been made," said the SSD-Disclosure posting. "As far as nosotros know, at the moment, the vulnerability has not been patched."

How you tin can avoid this

Bleeping Computer tried out the viii-line proof-of-concept exploit provided at the end of the posting and confirmed that it did indeed piece of work on macOS Big Sur. Tom's Guide has not had a risk to try out the exploit.

For now, the simply way to avoid this kind of attack is to not open up e-mail attachments you don't expect. Equally of this writing, none of the antivirus malware-detection engines on VirusTotal flagged the proof-of-concept code as malicious.

More than: Google Pixel 6 Pro just appeared in first hands-on video

Paul Wagenseil is a senior editor at Tom's Guide focused on security and privacy. He has also been a dishwasher, fry cook, long-haul commuter, code monkey and video editor. He's been rooting effectually in the information-security infinite for more than xv years at FoxNews.com, SecurityNewsDaily, TechNewsDaily and Tom'southward Guide, has presented talks at the ShmooCon, DerbyCon and BSides Las Vegas hacker conferences, shown up in random Television news spots and even moderated a panel discussion at the CEDIA domicile-technology briefing. You tin can follow his rants on Twitter at @snd_wagenseil.