The issue was discovered by Italian security researcher Filippo Cavallarin, of security firm Segment, who used Beyond Security's SSD (SecuriTeam Secure Disclosure) program to report the flaw to Apple in a secure and responsible manner.
Beyond Security says its experts forwarded Cavallarin's finding to Apple on July 27, this year. Yesterday, the SSD team said that after an inspection of macOS High Sierra (10.13), Apple appears to have patched the issue, but without including any mention in this month's security update.
Seeing that Apple seems to have resolved the bug, Cavallarin published details about the vulnerability on his blog, yesterday. In short, this is how the researcher describes the flaw:
When a user receives the file and runs it, even if Apple's quarantine system blocks any local resources from executing, the file sends its malicious code to the local rhtmlPlayer.html, who executes it with full access to any local operating system resources.
Cavallarin recommends that users upgrade to Mac OS X High Sierra or simply remove rhtmlPlayer.html to stay protected. The researcher said the issue affects macOS versions 10.12, 10.11, 10.10 and probably prior.
Full technical details are available on Cavallarin's blog. The expert also recorded a video demoing how an attacker could exploit the flaw to run code on user's machine.