macOS Finder Zero Day Vulnerability Allows Remote Code Execution

A currently unpatched zero-day vulnerability in the macOS Finder system can be exploited using a malicious email attachment to remotely execute arbitrary code. The vulnerability is present in Big Sur and all previous versions of macOS. Apple released a silent update to fix the vulnerability, but it did not work and the flaw can still be exploited.

The macOS Finder system is the default file manager and GUI front-end on Mac operating systems. macOS Finder controls file management, disks, network volumes, and the launching of all applications. Security researcher Park Mincham discovered a vulnerability due to how macOS Finder processes Apple-specific Internet location (.inetloc) files. Mincham discovered embedded commands can be run without generating any warnings or prompts.

macOS uses .inetloc files to either open online resources such as RSS feeds or local files by using the file:// format. An attacker could embed a specially crafted  .inetloc file in an email, and if the user clicks on that file the commands included in the .inetloc file would be run, unbeknown to the user as no warnings or prompts would be displayed.

Mincham reported the vulnerability to SSD under the Secure Disclosure program, which issued an advisory about the bug. Apple silently fixed the bug and did not assign a CVE to the vulnerability; however, the fix did not totally work. Apple fixed the issue with the file:// format in Big Sur, but Mincham discovered the flaw could still be exploited by using FiLe:// instead. SSD reported this to Apple but has not heard back and said to their knowledge the issue has yet to be fixed.

“Originally, inetloc files are shortcuts to an Internet location, such as an RSS feed or a telnet location; and contain the server address and possibly a username and password for SSH and telnet connections; can be created by typing a URL in a text editor and dragging the text to the Desktop,” said SDD in the security advisory. “The case here inetloc is referring to a file:// “protocol” which allows running locally (on the user’s computer) stored files. If the inetloc file is attached to an email, clicking on the attachment will trigger the vulnerability without warning.”

Potentially, an attacker could create a malicious email attachment which could exploit the flaw to launch a malicious payload. It is currently unclear if there have been any exploits of the vulnerability in the wild.

Author: Richard Anderson

Richard Anderson is the Editor-in-Chief of