[HN Gopher] Zero click vulnerability in Apple's macOS Mail
___________________________________________________________________
Zero click vulnerability in Apple's macOS Mail
Author : jviide
Score : 138 points
Date : 2021-04-01 19:03 UTC (3 hours ago)
(HTM) web link (mikko-kenttala.medium.com)
(TXT) w3m dump (mikko-kenttala.medium.com)
| petra wrote:
| Is it true that Apple devices are more secure than good Android
| devices(like Google's Pixel)?
|
| Or is it just security theater ?
| als0 wrote:
| As far as what is feasible, Apple does a very good job with
| their iPhone/iPad security. With both hardware and software.
| You can read about it how it all works in their platform
| security guide.
|
| On the Android side, Google makes good software changes to
| Android, but ultimately the security is dependent on the
| handset maker (e.g. Samsung) and SoC maker (e.g. Qualcomm).
| Security will vary between Android phones. The bigger Android
| phone makers are more able to make security investments than
| the cheaper phone makers.
| rogerbinns wrote:
| A big difference is that the software running on Apple devices
| is less complex. For example there is significantly less
| hardware support. iMessage only talks to other iMessage
| instances (eg no browser support). There is only one web
| browser engine. Third party apps can't do JIT code generation.
| Older APIs are actively removed, breaking existing apps (vs
| providing backwards compatibility).
|
| In general less complexity is better, but it also constrains
| things. For example it took until recently for third party iOS
| to be able to do NFC. Android had it since ~2012.
| wunderflix wrote:
| _> Android had it since ~2012._
|
| I seriously wonder: what difference did it make? Was there
| any groundbreaking thing iOS users missed for 8 years?
|
| Apple is just great in omitting things and keeping focus to
| deliver a great product and then expand on that basis.
|
| Most famous example: First iPhones didn't have MMS
| musicale wrote:
| > First iPhones didn't have MMS
|
| Or cut and paste. ;-)
| toxik wrote:
| MMS is whack though
| musicale wrote:
| "No wireless. Less space than a nomad. Lame."
| tempfs wrote:
| Apple's entire business model is based on appearances. To be
| fair so is Microsoft's and many others.
|
| Security is usually the last priority for nearly every for
| profit entity because it doesn't drive revenue.
| willio58 wrote:
| Security drives profit if it is marketed well. Apple does
| this. Think about even their branding for certain things,
| e.g. "Secure Enclave".
| etaioinshrdlu wrote:
| Apple puts rather extreme security effort into preventing iOS
| jailbreaks. They are pretty serious about trying to prevent
| data exfiltration from locked iOS devices as well.
|
| They aren't perfect but I don't think it's fair to say they
| don't try.
| viraptor wrote:
| I wouldn't call it extreme when there was a known public
| website allowing one-click jailbreak for good few months
| (not sure if it was actually ever patched or just the iOS
| version got eol)
| _underfl0w_ wrote:
| They then hired the guy creating those exploit chains.
| ghughes wrote:
| 10 years ago, yeah.
|
| https://en.m.wikipedia.org/wiki/JailbreakMe
| 2OEH8eoCRo0 wrote:
| >While the police managed to crack into Wong's iPhone, which
| was locked with a four-digit passcode, they did not manage to
| access the contents of Chow's Google Pixel phone using the
| force's existing digital forensics tools, according to the
| court filing. Chow says her phone is still in police
| possession.
|
| https://qz.com/1844937/hong-kongs-mass-arrests-give-police-a...
| [deleted]
| codemac wrote:
| If you turn on iCloud, it's theater.
|
| Android with syncing enabled does much better in real world
| tests. Notably in hong kong, they were able to crack the
| iPhones, but not the Pixels[0]
|
| I'm pretty sure without iCloud and a long enough password (or
| fast enough self destruct mode) iPhones could be as secure, but
| I don't know anyone that uses an iPhone and does not use iCloud
| in any way.
|
| [0]: https://qz.com/1844937/hong-kongs-mass-arrests-give-
| police-a...
| viraptor wrote:
| I like the way (I think) the grugq described it: out of the box
| iPhones are great with security, but Android allows you to
| build / get better yourself. See the copperhead project for
| example https://copperhead.co/android/
| asddubs wrote:
| good old symlinks, always wreaking havoc
| threatofrain wrote:
| > 2020-05-16: Issue found
|
| > 2020-05-24: PoC done and reported to Apple
|
| > 2020-06-04: Catalina 10.15.6 Beta 4 with [hotfix released]
|
| > 2020-07-15: Catalina 10.15.6 Update with hotfix released
| lehi wrote:
| > 2021-03-30: Bug Bounty is still being evaluated
| marshmallow_12 wrote:
| If Apple are actually serious, why are they taking so long to
| give the bounty? It's sounds like madness to me.
| stephc_int13 wrote:
| This is clearly what triggered the post.
|
| Work was done but not paid. Shitty business on Apple
| side...
| MuffinFlavored wrote:
| The company has billions of dollars. I don't think a
| $50k-$100k bug bounty payout for them is a big deal. Even $1m
| wouldn't be a big deal to them.
| swiley wrote:
| It's hardly surprising, you can run into memory corruption bugs
| just using desktop mail.app the way it's intended (there's been a
| bug that corrupts the account list for probably a decade which
| just hasn't been fixed.)
|
| Mutt may _look_ old but at least it actually works.
| Zhenya wrote:
| It seems backwards that Apple acknowledges the issue, PATCHES it,
| but still hasn't paid out.
|
| Maybe a good business is bug escrow company.
| hbbio wrote:
| zerodium
| _alex_ wrote:
| That's gonna be devastating to the three people who use Mail.app
| gumby wrote:
| I switched to it with the first release of OS X and have been
| pretty happy with it.
|
| Amazingly I have a handful of messages from the late 70s (a
| couple of jokes and a couple of personal messages from friends
| who passed away young) that have survived the file format
| transitions since then but I couldn't imagine could appear in
| something like google or yahoo mail. TBH I haven't made that
| many transitions: EMACS (BABYL) on ITS, then TOPS-20; Interlisp
| and Smalltalk clients to Grapevine back end; Lispm to TOPS-20
| back end; GNU Emacs (rmail?) to IMAP; and then Apple Mail
| (macOS and iOS) -> IMAP. Emacs is the most powerful but these
| days still hard to put in your pocket.
|
| In general a web browser seems like the _worst_ interface to
| most services and activities as the UI can 't be dedicated to
| the task at hand; instead you have system UI, Browser UI and
| only then the application UI. And a lot of mouse activity is
| expected.
| stock_toaster wrote:
| ;_; one of us. one of us.
|
| Whats a good alternative for macos these days? I loved sparrow
| back in the day, before I got acquired and killed by google.
| djxfade wrote:
| I personally love Mimestream. Its a native Gmail client
| _alex_ wrote:
| Mailmate is pretty awesome
| politician wrote:
| With the Mail.app pegging their CPU to 100%, those three people
| are unlikely to notice. Frankly, it's unlikely for the attacker
| to be able to do anything either, aside from force-terminating
| Mail.app.
|
| (Disclaimer: I want to like Mail.app, but I don't need another
| fan in my office.)
| [deleted]
| oleganza wrote:
| I'm using Mail.app since 2007 when i switched to Mac and
| never had issues other than a couple of times around 2009-10
| when it had sync problems with Gmail. -\\_(tsu)_/-
| codezero wrote:
| The post indicated that the attacker can change the
| configuration, filters, as well as forwarding rules (exfil),
| this doesn't seem terribly benign.
| veselin wrote:
| A new Mac comes with something like 30 apps in the bar. I
| clicked and disabled every single one of them except Finder and
| used Safari to download another browser. If it was any other
| manufacturer, this mess would be quickly denounced by reviewers
| as crapware. But because it is by Apple, it is not a problem at
| all.
|
| I am not expecting this to fix by itself. Maybe some major
| review blogs should first not parrot how magical the whole
| thing is and change the tone as such things are not only
| annoying, but also a security risk even if you don't actively
| use the app. I am not an expert on development for MacOS, but I
| would be surprised if there is no way to trigger the mail app
| from another app or a link. I just hope the bug is not
| exportable this way.
| Aloisius wrote:
| I'm not sure I could classify any of 23 items in the default
| dock as as crapware.
|
| None are demos or trialware. Hell, I use all of them except
| for FaceTime, Podcasts, Pages, TV and Launchpad.
|
| I do remove most of them from the dock since I use spotlight
| to launch things, but removing System Preferences from my
| dock hardly makes it crapware.
| blacksmith_tb wrote:
| I assume you mean the Dock? I am with you there, on a new
| install of macOS I drag pretty much all their apps out of it
| (to be fair, I do the same thing on a new Ubuntu desktop
| install too...). Of course in a sense the Dock is an
| anachronism, I find it useful once in the while to drag a
| file onto an app there, but generally for launching apps I
| prefer Spotlight (actually Alfred).
| ratww wrote:
| That's not what the statistics say:
|
| https://emailclientmarketshare.com
| wahern wrote:
| Wow, Mail.app has more market share than Outlook. I'm
| pleasantly surprised. Ditto for GMail only having ~30%.
|
| Although,
|
| > Since determining the client in which an email is opened
| requires images to be displayed, the data for some email
| clients and mobile devices might be over- or under-
| represented due to automatic image blocking.
|
| Outlook doesn't display external images by default, while
| Mail.app does, so....
| uberduper wrote:
| As far as I know and recall from the years I've been using
| Mail.app, it does not download external images by default.
| wahern wrote:
| It does. I even provided a citation several weeks ago in
| another thread, though a quick Google search seems to
| bring up ample support of its own.
|
| Like me you may have disabled it and forgotten. Whenever
| I get a new laptop at work I tend to go through and
| change all the defaults, such as reverting to plaintext
| composition, and habitually disable external image
| loading as part of the process.
|
| The iPhone Mail app may have saner defaults, however, but
| I don't have an iPhone and have never used its e-mail
| client.
| zakki wrote:
| Does Apple excluded Mail.app from their privacy focused
| strategy?
| iamacyborg wrote:
| Also, I assume there's a different demographic that uses
| Mail vs Outlook. Those different demographics will receive
| different types of email, which may or may not be
| represented differently by companies who use Litmus
| tracking which is how this data is being collected.
| cozzyd wrote:
| right, neither does Evolution or Thunderbird. It's crazy
| that Mail.app does this.
| uncledave wrote:
| Am I the only one using outlook and loving it?
| fullwaza wrote:
| Yes
| munk-a wrote:
| No - I still don't like it myself but they've made some
| pretty great strides in feature parity and have excellent
| integration if you're a Teams shop.
| roym6 wrote:
| Outlook on Mac consumes outrageous amounts of ram...
| darkwater wrote:
| Absolutely. Mail.app on Windows instead is pretty
| lightweight /s
| LegitShady wrote:
| its gotten better but its still not great.
| mhh__ wrote:
| I'm surprised how high the iPhone share is. Specifically in
| light of it usually being stated in any thread discussing
| apple and regulation that Apple do not have anything close to
| a controlling share of the market
| kps wrote:
| What are the options for those who foolishly installed an OS
| version later than Snow Leopard and can't run Eudora?
| Someone wrote:
| Porting the Mac version to a modern Mac OS will be a serious
| challenge, but source code is available (BSD-licensed). See
| https://computerhistory.org/blog/the-eudora-email-client-
| sou....
| wahern wrote:
| The feature accretion and default layout redesigns have
| increasingly become a headache, but Mail.app still seems like
| the spiritual successor to Eudora, which may have remained the
| most popular desktop e-mail GUI if Microsoft hadn't leveraged
| their monopoly in the business workstation and LAN markets to
| push the adoption of Outlook. I use mutt for personal e-mail,
| but prefer Mail.app for work.
| rvz wrote:
| Your comment is about to become dead. I'll preserve the context
| here:
|
| > That's gonna be devastating to the three people who use
| Mail.app
|
| Multiply that by 100,000,000
| codezero wrote:
| It's my main email client, what's wrong with it?
| tasogare wrote:
| What's right with it? I tried it a few times and always
| returned to web-based clients (on desktop) and third-party
| apps (outlook, gmail, protonmail) on iOS.
| techbubble wrote:
| I find it works very well, so basically everything seems
| right. Use it for nine accounts concurrently. Rarely have
| any issues.
| duiker101 wrote:
| So what's wrong with it?
| sixstringtheory wrote:
| What web-based client will allow you to read email without
| an Internet connection in Safari?
|
| What marginal advantage does a third-party iOS client
| provide, that outweighs the risks of installing another app
| that is going to spy on me, have weaker integration with
| the OS and force me to relearn every new UI design language
| they come up with that in no way resembles the rest of the
| OS or its function and behavior?
| Aloisius wrote:
| Web gmail sucks when you have multiple accounts.
| sneak wrote:
| I am one of those three people. Do you know of any decent gui
| IMAP clients?
| _alex_ wrote:
| I like Mailmate
| sneak wrote:
| If I switch, it will need to be to something that works on
| more than just macOS, and nonfree software will be excluded
| from consideration.
| igammarays wrote:
| Ok, remind me never to approach Apple directly if I happen to
| find a vulnerability. Zerodium (or a 3-letter agency) it is!
| mhh__ wrote:
| > 3-letter agency
|
| From the wikipedia page for Meltdown: "On 8 May 1995, a paper
| called "The Intel 80x86 Processor Architecture: Pitfalls for
| Secure Systems" published at the 1995 IEEE Symposium on
| Security and Privacy warned against a covert timing channel in
| the CPU cache and translation lookaside buffer (TLB). This
| analysis was performed under the auspices of the National
| Security Agency's Trusted Products Evaluation Program (TPEP)."
|
| i.e. did they know even in 1995?
| vmladenov wrote:
| My understanding is that people at the time were aware of
| potential problems but no vulnerability had been identified.
| I found some discussion here:
| https://security.stackexchange.com/a/177256
| gruez wrote:
| Is this referencing the slow turnaround time, or the lack of a
| bounty paid so far? If it's the latter, I think it's already
| well known that bug bounties pay far less than the "market"
| value of such exploits.
| igammarays wrote:
| > well known
|
| Well I didn't know, until now. I saw the bug bounty page at
| Apple before, was dazzled by the numbers, and didn't think
| twice about approaching them if I found a bug. Now after this
| article I know better than to trust them to pay.
| musicale wrote:
| > Mail will parse it to find out any attachments with x-mac-auto-
| archive=yes header in place. Mail will uncompress those files
| automatically.
|
| What could possibly go wrong? ;-/
| tyingq wrote:
| I thought macOS mail rules could also run a snippet of
| AppleScript. Wouldn't that make this an RCE?
|
| Or maybe the script has to exist in some folder this
| vulnerability doesn't have access to?
| turmio wrote:
| Thats what I thought first too (I am the author). And your
| guess for the reason is right. AppleScripts need to be stored
| in ~/Library/Application Scripts/com.apple.mail directory which
| is outside of the sandbox.
| hkdobrev wrote:
| Please don't use "zero" and "vulnerability" in the same sentence,
| unless you mean a zero-day one. The author could have said "no
| click vulnerability" with the same meaning. Almost caused me a
| concern with that title! :D :D
| turmio wrote:
| Sorry about that. But thats the term what is used by Apple to
| these type of bugs: https://developer.apple.com/security-
| bounty/ ( Zero-click unauthorized access to sensitive data )
| lupire wrote:
| That's a terrible unzip program. Unzip Programs should not write
| to arbitrary locations while unzipping.
| microtherion wrote:
| Thanks for an exceptionally clear writeup. Pay that person their
| bounty!
| turmio wrote:
| Thanks!
| nvahalik wrote:
| Use MailMate!
|
| https://freron.com/
| LVB wrote:
| How has maintenance & bug fixing been? I'm OK with mature apps
| stabilizing and needing few updates, though since it is a
| single dev with somewhat infrequent changes I thought I'd ask
| (https://updates.mailmate-app.com/release_notes).
___________________________________________________________________
(page generated 2021-04-01 23:00 UTC)