A vulnerability in Apple Mail described as CVE-2020-9922 allows cybercriminals to modify, add or remove any file that is stored in Mail’s sandbox.
According to the details that are available, the flaw could be triggered if a malicious actor sends its victim an email with two .ZIP files as attachments. No click from the victim’s side is required and the result from the exploitation of the vulnerability could lead to a number of other attacks.
The details on the reported Apple Mail flaw reveal that the attackers who take advantage of it could gain access to sensitive information and modify the configurations of the victim’s Mail. This, in turn, may lead to mail redirects that may enable the malicious actor to take over other accounts of the victim via password resets or propagate the attack in a worm-like manner to all correspondents. The settings alternations in Apple Mail may also lead to unauthorized disclosure of sensitive information to third parties.
The CVE-2020-9922 bug has been detected by submitting test messages and following Mail process syscalls. The test results have revealed that mail has a function that automatically decompresses attachments that were compressed by another mail recipient. Portions of the decompressed data, however, are not deleted from the temporary directory, with directory has many functions that attackers may take advantage of.
The research indicates that, to exploit this flaw, a cyber intruder could simply email two .ZIP files as attachments to the user. The Mail app will then unpack these attachments immediately.
With a rating of 6.5 on the CVSS vulnerability-severity scale, the CVE-2020-9922 is considered medium to highly serious; however, the research has pointed out that if exploited successfully, this bug could lead to “many bad things”.
Even though these details about the severity of the vulnerability become public now, users should remain calm as the bug’s specifics have already been fixed in macOS Mojave10.14.6, macOS High Sierra 10.13.6, and macOS Catalina 10.15.5. A simple update to these versions should provide the necessary security patches.