SB2021092205 - Remote code execution in Apple macOS

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2021092205

SB2021092205 - Remote code execution in Apple macOS

Published: September 22, 2021

Security Bulletin ID SB2021092205
CSH Severity
Critical
Patch available
NO
Number of vulnerabilities 1
Exploitation vector Remote access
Highest impact Code execution

Breakdown by Severity

Critical 100%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 1 vulnerability.


1) Improper Authorization in Handler for Custom URL Scheme (CVE-ID: N/A)

CWE-ID: CWE-939 - Improper Authorization in Handler for Custom URL Scheme

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/U:Red


The vulnerability allows a remote attacker to compromise the affected system.

The vulnerability exists due to improper input validation in in macOS Finder when processing custom URI schemes, such as File:// or fIle://. A remote attacker can create a specially crafted file with inetloc extension, send it as an email attachment, trick the victim to open the email and execute arbitrary OS commands on the system.


Remediation

Cybersecurity Help is not aware of any official remediation provided by the vendor.

References