Security researchers disclosed a new vulnerability in Apple's macOS Finder, which makes it possible for the threat actors to run commands on Mac computers running any macOS version up to the latest release, Big Sur. There is no patch for this problem yet.

The vulnerability was discovered by information security expert Park Minchan, and it is related to the way macOS handles .inetloc files (Internet location files). Extensions .inetloc are system-wide bookmarks that can be used to open various network resources (news://, ftp://, afp://) and local files (file://). As a result, these files force the OS to run any commands embedded by the threat actor without any warnings or prompts.

"These files can be embedded inside emails which if the user clicks on them will execute the commands embedded inside them without providing a prompt or warning to the user."- SSD Secure Disclosure warned.

While Apple fixed the issue without assigning a CVE identification number, as Minchan later discovered, Apple's patch only partially addressed the flaw and it still exists.

Source: bleepingcomputer.com