A remotely executed Zero-Day vulnerability hits Apple’s MacOS

Description

A Security researchers disclosed a zero-day vulnerability in Apple’s macOS. This vulnerability is classed as Zero-Day as it is public knowledge and Apple have not yet fixed it.

Successful Exploitation of this vulnerability allows an attacker to remotely execute commands on any MacOS versions. This flaw effectively allows an attacker to bypass Apple’s quarantine technologies, this vulnerability exists due to ‘inteloc’ files which runs arbitrary commands embedded inside without any prompts.

On macOS, Internet location files with ‘.inetloc’ extensions acts as a bookmarks that can be used to open online resources such as: (news://, ftp://, afp://) or local files (file://).

Once clicked it opens an online resource or local files (file://).

An attacker can use this technique in phishing to execute commands on remote machine as when the attachment is clicked no prompt is asked. Even though Apple silently patch this vulnerability but the original researcher later pointed out that it was partial and this vulnerability still does not have a stable patch.

Recommendations

• Analyse Firewall and Internet proxy logs for the presence of mentioned IOCs. Update the Anti-malware solutions at endpoint and perimeter level solutions to include the given IOCs

• Avoid handling files or URL links in emails, charts or shared folders from untrusted sources

• Provide phishing awareness training to your employees/contractors

• Deploy endpoint detection & response (EDR) tools to detect latest malware and suspicious activities on endpoints

Reference

• https://ssd-disclosure.com/ssd-advisory-macos-finder-rce[/]

• https://www.intego.com/mac-security-blog/remotely-exploitable-inetloc-zero-day-vulnerability-hits-the-mac/