Apple Mail Zero-Click Security Vulnerability

Apple has released an emergency update for its iOS, iPadOS, and watchOS operating systems to patch a zero-day security flaw that is being actively exploited in the wild. The vulnerability affects multiple models of iPhone, iPad, Apple Watch, and iPod touch.

“Apple is aware of a report that this issue may have been actively exploited,” reads Apple’s security advisory describing the security hole that is being plugged with the release iOS 14.4.2 and iPadOS 14.4.2.

The list of impacted devices includes iPhone 6s and later, all versions of the iPad Pro, iPad Air 2 and later, the 5th generation of iPad and later, iPad mini 4 and later, and the 7th generation of the iPod touch. The Cupertino-based tech giant also issued security updates for its Apple Watch products (watchOS 7.3.3).

Apple’s iPhone and iPad products are regularly targeted by attackers. In a November update, the company patched three issues in iOS and the iPadOS that were also being actively exploited, according to Google’s Project Zero team, which reported the issues. In addition, commercial spyware providers have incorporated exploits for Apple’s mobile operating systems purchased from the gray market to allow the governments of smaller nations to conduct “zero-click” attacks, The Citizen Lab, an interdisciplinary laboratory based at the Munk School of Global Affairs and Public Policy at University of Toronto, documented in late December.

Apple’s iOS currently appears to have more than a quarter of the worldwide market share for mobile operating systems, compared with more than 70% for Android-powered mobile devices, according to StateCounter’s GlobalStats report.

While users of Android devices need to beware of malicious files and may want to consider running anti-malware solutions, users of Apple’s mobile operating systems need to worry most about fileless attacks, such as drive-by downloads, which the current vulnerabilities would allow, says Chebyshev.

“Users of Android and iOS-based devices have to pay attention to the security of their devices,” he says. “The truth is that both platforms are well secured but still have their own problems.”

The three vulnerabilities include two logic issues in Webkit (CVE-2021-1870 and CVE-2021-1871) that allow arbitrary code to be executed, requiring stronger restrictions to mitigate, Apple stated in its advisory. The third vulnerability (CVE-2021-1782) affected the kernel of the operating system, which failed to lock down specific memory from being changed while in use — a vulnerability known as a race condition. Apple improved the locking mechanism for the memory, the company stated.

Zero-Click Attack Path

To exploit the bug, a cyberattacker could email two .ZIP files as attachments to the victim, according to the analysis. When a user receives the email, the Mail app will parse it to find any attachments with x-mac-auto-archive=yes header in place. Mail will then automatically unpack those files.

“The first .ZIP includes a symlink named Mail which points to victims’ $HOME/Library/Mail and file 1.txt,” said Kenttälä. “The .ZIP gets uncompressed to $TMPDIR/ Based on the header, 1.txt gets copied to the mail director and everything works as expected. However, cleanup is not done right way and the symlink is left in place.”

“The second attached .ZIP includes the changes that you want to do to $HOME/Library/Mail. This will provide arbitrary file write permission to Library/Mail,” the researcher explained. “In my example case I wrote new Mail rules for the Mail application. With that you can add an auto forward rule to the victim’s Mail application.”

This arbitrary write access means that an attacker can manipulate all of the files in $HOME/Library/Mail, he added.

CVE-2020-9922 is rated 6.5 on the CVSS vulnerability-severity scale, making it medium-severity, but the researcher stressed that successful exploitation could “lead to many bad things.”

“As shown, this will lead to exposure of the sensitive data to a third party through manipulating the Mail application’s configuration,” he said. “One of the available configuration options is the user’s signature which could be used to make this vulnerability wormable. There is also a chance that this could lead to a remote code-execution (RCE) vulnerability, but I didn’t go that far.”