It’s the “Oops! Of the week. Security researcher Park Minchan has just found a particularly easy-to-exploit security flaw in macOS that allows the execution of arbitrary commands at the system level. It suffices to send a particular “Inetloc” file by a message. This type of file is used in macOS to point to local resources or the web, relying on operators such as “file: //” or “ftp: //”. The case of “file: //” is obviously very sensitive, because it allows the opening of potentially executable local files. This is why this prefix has been blocked.
The concern is that typographical variations will continue to work, such as “FiLe: //” or “fIle: //”. A hacker could therefore, by means of a corrupted message, launch an executable in this way. The SSD Secure Disclosure site, where the security alert was posted, made a demo GIF.
This flaw exists for all versions of macOS, including the latest (Big Sur). As Bleeping Computer has observed on the VirusTotal platform, no security software is capable, to date, of detecting such a corrupted file. And Apple has not yet commented on this matter.
Source: Bleeping Computer