Thursday, September 23, 2021

Questionable RCE with .webloc/.inetloc files

A report surfaced recently that at least some recent versions of macOS can be exploited to run arbitrary local applications using .inetloc files, which may allow a drive-by download to automatically kick off a vulnerable application and exploit it. Apple appeared to acknowledge the fault, but did not assign it a CVE; the reporter seems not to have found the putative fix satisfactory and public disclosure thus occurred two days ago.

The report claims the proof of concept works on all prior versions of macOS, but it doesn't seem to work (even with corrected path) on Tiger. Unfortunately due to packing I don't have a Leopard or Snow Leopard system running right now, so I can't test those, but the 10.4 Finder (which would launch these files) correctly complains they are malformed. As a safety measure in case there is something exploitable, the October SPR build of TenFourFox will treat both .webloc and .inetloc files that you might download as executable. (These files use similar pathways, so if one is exploitable after all, then the other probably is too.) I can't think of anyone who would depend on the prior behaviour, but in our unique userbase I'm sure someone does, so I'm publicizing this now ahead of the October 5 release. Meanwhile, if someone's able to make the exploit work on a Power Mac, I'd be interested to hear how you did it.


  1. I couldn't get it to work on my Yosemite system.

    1. Interesting. It's entirely possible this was a much more recent bug than the discoverers thought.

  2. [ChrisT.] 10.5.8: Finder says 'The Internet location file "rcetest.inetloc" cannot be opened because it is damaged.'
    10.11.6: Finder opens Calculator.


Due to an increased frequency of spam, comments are now subject to moderation.