Threat Watch

Vulnerability in macOS Finder Allows Attackers to Run Arbitrary Commands

A vulnerability in macOS Finder allows Internet Location (.inetloc) files to execute arbitrary commands. Internet Location files are shortcuts to an Internet location (“news://”, “ftp://”, “afp://”, or “file://”) and can contain the server address and possibly username and password for SSH and telnet connections. These files can be created by typing a URL into a text editor and dragging the text to the Desktop. These files can be embedded inside of any program that can attach and execute files, such as email and iMessage, and if clicked will execute commands without warning the user.

SSD Secure Disclosure, a zero-day vulnerability research company, says “The case here inetloc is referring to a ‘file://’ protocol which allows running locally (on the user’s computer) stored files. If the inetloc file is attached to an email, clicking on the attachment will trigger the vulnerability without warning.”

Although newer versions of macOS have been updated to block the “file://” prefix without assigning a CVE identification number, it was discovered that simply changing the protocol with mixed-case, such as “File://” or fiLe://, bypasses the patch. Researchers have reached out to Apple but have not received a response at the time of writing and this vulnerability remains unpatched.


If this vulnerability were to be exploited by attackers, it could potentially be used to create malicious email attachments that could launch bundled or remote payloads when opened by the user. As the vulnerability is still active, it is recommended to block .inetloc files in email attachments, and/or confirm the file was sent from a known, reputable sender before clicking on any attachment with the extension.