A zero-click vulnerability has been discovered in Apple’s macOS Mail which allows attackers to take over a users account by adding or modifying any arbitrary file in Apple Mail’s sandbox environment.
The bug known as CVE-2020-9922 can be exploited by sending an email with two .ZIP files attached. Once a user has received these emails Apple’s Mail app will parse it to find any attachments which have x-mac-auto-archive=yes in the header, and automatically unpack the files.
Natalie Page, Threat Intelligence Analyst at Talion, warns of the dangers of the exploited vulnerability, “while this Apple macOS Mail vulnerability has been given a lower severity rating of 6.5, the ease at which an attacker can leverage this exploit, combined with the potentially alarming invasions which can evolve from an infiltration via the vulnerability, are what makes this exploit concerning.”
Natalie goes on to say, “post compromise this vulnerability could allow an attacker the capability to configure account settings for mail redirects, to propagate correspondents, allow account takeovers/password resets, and the ability to retrieve sensitive information. Those users affected and advised to update their system are as follows- macOS Mojave 10.14.6, macOS High Sierra 10.13.6, macOS Catalina 10.15.5.”