Apple revealed to TechCrunch that the recently launched macOS 11.3 software update fixes a security flaw that may have permitted a hacker to remotely access a user’s confidential data by convincing the user to open a spoofed document.
The vulnerability was discovered in the middle of March by Cedric Owens, a security researcher, and this was the feedback provided by him: “All the user would need to do is double click, and no macOS prompts or warnings are generated,” He created a proof-of-of-concept app that did not do anything malicious, but only launched the Calculator app, which he knew was a flaw in Apple’s code.
Security researcher Patrick Wardle argues that the vulnerability is a logic bug in the system code that underlies macOS. “In simple terms, macOS apps aren’t a single file but a bundle of different files that the app needs to work, including a property list file that tells the application where the files it depends on are located,” TechCrunch explains.
“But Owens found that taking out this property file and building the bundle with a particular structure could trick macOS into opening the bundle, and running the code inside, without triggering any warnings.”
MacOS 11.3 Fixes a Security Vulnerability
Apple told TechCrunch that in addition to fixing macOS 11.3, it patched older macOS versions to mitigate abuse and updated macOS’s integrated anti-malware system XProtect that prevent malware from leveraging the vulnerability.
According to the paper, the bug was exploited for months, however the exact number of users affected is unknown.