We have notified Apple that FiLe:// (just mangling the value) doesn’t appear to be blocked, but have not received any response from them since the report has been made. The vendor has notified us that file:// has been silently patched the vulnerability in Big Sur and has not assigned it a CVE.
Find out how a vulnerability in macOS Finder system allows remote attackers to trick users into running arbitrary commands.Ī vulnerability in macOS Finder allows files whose extension is inetloc to execute arbitrary commands, these files can be embedded inside emails which if the user clicks on them will execute the commands embedded inside them without providing a prompt or warning to the user.Īn independent security researcher, Park Minchan, has reported this vulnerability to the SSD Secure Disclosure program.
