Apple today confirmed to TechCrunch that the just-released macOS 11.3 software update fixes a security vulnerability that could have allowed a hacker to remotely access a user's sensitive data by tricking a user into opening a fake document.
Security researcher Cedric Owens discovered the vulnerability in March and reported it to Apple – according to the report.
All the user has to do is double-click – and no macOS prompts or warnings are generated.
Owens has developed a proof-of-concept app that disguises itself as a harmless document and exploits the flaw to launch the Calculator app. But he says the vulnerability could also be used for more nefarious purposes. According to security researcher Patrick Wardle, the vulnerability is the result of a logic error in the underlying code of macOS. TechCrunch writes:
macOS 11.3: Apple updates malware system XProtect
Put simply, macOS apps aren't a single file but a bundle of different files that the app needs to function, including a properties list file that tells the application where to find the files it depends on. But Owens found that taking out that properties file and building the bundle with a specific structure could get macOS to open the bundle - and run the code inside it - without triggering any warnings.
In addition to fixing the bug in macOS 11.3, Apple patched earlier macOS versions to prevent abuse and updated macOS's built-in anti-malware system, XProtect, to prevent malware from exploiting the vulnerability, according to TechCrunch. The report says the bug was exploited for months, but it remains unclear how many users were affected. (Photo by KanawatVector / Bigstockphoto)
