SSD Advisory – macOS Finder RCE & How Privilege Management for Mac Can Mitigate It | BeyondTrust

Application control, provided by a third-party solution, complements the existing security measures of macOS with important controls over what applications can run on the system. This is accomplished by configuring a list of rules in the solution policy.

BeyondTrust Privilege Management for Mac combines privilege management and application control capabilities and integrates with the subsystems of macOS. The BeyondTrust solution enables our customers to control what applications can run on a macOS system, based on a policy distributed from a management platform onto an endpoint.

Taking the POC off the SSD Advisory – “macOS Finder RCE” exploit as an example. The exploit targets the end user to open an “.inetloc” file containing a command to open Calculator App (shown in Figure 1 below).

Without Privilege Management for Mac installed, will be launched when the end user opens the file inetloc.inetloc:

With a policy that provides application control for, Privilege Management for Mac will detect being launched, indirectly by the user opening inetloc.inetloc, and can control whether the application is launched or not.

A well-configured allow-listing policy implemented via Privilege Management for Mac protects end users—whether standard or administrator—from threats such as the macOS Finder system vulnerability. The solution also audits events to identify and alert on any attempts to launch “unexpected” programs.

Using Privilege Management for Mac, an administrator can support a zero trust approach for their Mac endpoint security estate. If zero trust is a key security initiative for your organization, I recommend checking out our paper: A Zero Trust Approach to Windows & Mac. Security.

To learn more about Privilege Management for Mac, contact us today.

This post was first first published on BeyondTrust website by . You can view it by clicking here