Every Mac can be hacked by this new flaw, and there's no fix yet

Every Mac can be hacked past this new flaw, and in that location's no fix yet

(Image credit: Future)

A newly disclosed flaw lets attackers hijack fully updated Macs merely by putting certain kinds of URLs in an email attachment.

The flaw, reported earlier by Bleeping Computer, abuses the treatment of "inetloc" files, a Mac file format that contains a link to an cyberspace location such as a website or other server.

Thousands of Netgear routers tin be hacked — hither's what to do
The all-time Mac antivirus software
Plus: iPhone xiii Pro review: 1 of the best phones always

Independent security researcher Park Minchan establish that prefacing a link in an inetloc file with "file://" instead of "http://" or "https://" fabricated it possible to run arbitrary lawmaking on — i.due east. hack — any Mac running fully updated macOS 11.6 Big Sur. (The "file://" prefix specifies a file on the local PC.)

"These files can be embedded inside emails which, if the user clicks on them, will execute the commands embedded inside them without providing a prompt or alarm to the user," said an unsigned posting today (Sept. 21) on the SSD-Disclosure bug-reporting website.

Apple tree did plainly patch the flaw and then that "file://" tin no longer be abused using this flaw. However, Park found that switching up the letter of the alphabet cases so that the prefix read "File://" or "fIle://" still worked. (URLs are mostly case-insensitive, so "hTTpS://tomsGUIde.coM" volition work but as well as "https://tomsguide.com".)

This might await like a zero-day flaw, yet information technology'southward more like a flaw that Apple tree knew about only didn't properly patch. Tom's Guide has sent an email to Apple seeking comment merely hasn't yet received a response.

"We have notified Apple tree that FiLe:// (but mangling the value) doesn't appear to be blocked, merely have not received any response from them since the report has been made," said the SSD-Disclosure posting. "As far as we know, at the moment, the vulnerability has non been patched."

How you can avert this

Bleeping Figurer tried out the eight-line proof-of-concept exploit provided at the end of the posting and confirmed that information technology did indeed work on macOS Big Sur. Tom's Guide has not had a chance to try out the exploit.

For at present, the just way to avert this kind of attack is to not open up email attachments you don't wait. As of this writing, none of the antivirus malware-detection engines on VirusTotal flagged the proof-of-concept lawmaking every bit malicious.

More: Google Pixel half-dozen Pro simply appeared in first hands-on video

Paul Wagenseil is a senior editor at Tom's Guide focused on security and privacy. He has also been a dishwasher, fry cook, long-haul driver, code monkey and video editor. He's been rooting around in the information-security infinite for more than 15 years at FoxNews.com, SecurityNewsDaily, TechNewsDaily and Tom's Guide, has presented talks at the ShmooCon, DerbyCon and BSides Las Vegas hacker conferences, shown up in random Idiot box news spots and even chastened a panel discussion at the CEDIA home-technology briefing. You lot tin can follow his rants on Twitter at @snd_wagenseil.