Security researchers from Trend Micro have discovered an arbitrary code execution vulnerability, which could be abused via malicious USB devices. Trend Micro privately reported the flaw to Apple earlier this year.
The flaw (tracked as CVE-2017-13811), resides in the fsck_msdos system tool, which is a tool that has been built to check for and fixes errors in devices formatted with the FAT filesystem, and is automatically requested by macOS if a device using FAT (such as a USB disk or an SD card) is inserted.
The USB flaw enables attackers to execute arbitrary code with system-level privileges and take over the entire system through a malicious device (such as the mentioned flash disks or SD cards).
According to Trend Micro:
“We do not believe that this attack has been used in the wild. We strongly recommend that users update their software to address this flaw, as well as the others that were part of this update cycle.”
Google has identified this flaw as one they will not patch in Android, because “fsck_msdos works under a very restricted SELinux domain.” They are currently studying how to address this issue in a future version of the OS. IT admins may want to restrict USB access to devices, as this method is frequently used to enable malware to access systems. Physical controls may be considered for especially sensitive devices.