A code execution error in macOS Big Sur and earlier, allows you to remotely execute commands

A code execution bug in Apple's macOS allows remote attackers to execute arbitrary commands on Apple computers. But worst of all, Apple hasn't completely fixed it yet. It's all based on specific bugs that negatively affect macOS users, especially those using a native email client such as the "Mail" application.

Certain shortcut files can take over Mac computers. The independent security researcher Park minchan discovered a vulnerability in macOS that allows those who run them to initiate commands on the Mac. Shortcut files that have the extension "inetloc" they are able to embed commands inside. This bug affects macOS Big Sur and earlier versions.

A vulnerability in the way macOS processes inetloc files causes it to run commands embedded within it. The commands you run can be local to macOS, allowing arbitrary commands to be executed by the user without any warnings or prompts. Originally, inetloc files are shortcuts to an Internet location, such as an RSS feed or telnet location. They contain the server address and possibly a username and password for SSH and telnet connections. They can be created by typing a URL in a text editor and dragging the text to the desktop.

This specific bug negatively affects macOS users, especially those who use an email client native such as the Mail application. Opening an email containing an inetloc attachment through the Mail application will activate the vulnerability without warning.

Apple has partially fixed the problem, but the researcher has shown that it has not definitively corrected it. So that new updates are needed for that to be completely eradicated.

The content of the article adheres to our principles of editorial ethics. To report an error click here.

Be the first to comment

Leave a Comment

Your email address will not be published. Required fields are marked with *



  1. Responsible for the data: Miguel Ángel Gatón
  2. Purpose of the data: Control SPAM, comment management.
  3. Legitimation: Your consent
  4. Communication of the data: The data will not be communicated to third parties except by legal obligation.
  5. Data storage: Database hosted by Occentus Networks (EU)
  6. Rights: At any time you can limit, recover and delete your information.