Apple recently patched a critical macOS vulnerability that lets hackers run arbitrary code through email attachments. Unfortunately, this patch is sloppy and extremely easy to bypass. Mac owners should avoid opening email attachments with the inetloc extension until Apple issues a proper fix.
Internet shortcut files, called inetloc files on macOS, are meant to redirect users to webpages. You can create an inetloc file by dragging a URL to your desktop, for example. But because of a bug in macOS, hackers can embed usable code within inetloc files. This code runs without warning when an affected file is opened, providing an easy way to attack macOS users via email.
Programming the exploit requires little computing experience. See, inetloc files contain URLs, which usually begin with http:// or https://. But an oversight by Apple lets inetloc files point to file:// locations within your computer system. A small line of code within an inetloc file could let a hacker run software or malicious payloads on your system.
Researcher Park Minchan discovered the exploit early this week. Apple quickly issued a patch after the vulnerability was reported by SSD Secure Disclosure, though several tech outlets and security experts find that this patch isn’t enough.
As reported by Ars Technica, the emergency patch issued by Apple prevents macOS from running inetloc files that begin with a file:// prefix. But the patch is case-sensitive. Replacing any part of file:// with a capital letter completely bypasses the fix.
This is amateurish work from Apple. It’s the kind of fix you’d expect from an intern at a small company. And frankly, it’s a worrying sign that Apple doesn’t take security as seriously as it claims. I guess that’s why we haven’t seen the “what happens on your iPhone stays on your iPhone” billboard in a while.