Last night, I was reading a story on Hacker News about a security vulnerability that kind of scared me. https://mikko-kenttala.medium.com/zero-click-vulnerability-in-apples-macos-mail-59e0c14b106c It's worth reading, but the gist, as I understand it, is as follows.
Apple fixed the problem last summer in High Sierra and newer†, but I'm running Mavericks. So I spent some time this morning writing a SIMBL plugin to remove the underlying problem, which is that Apple Mail will automatically extract certain zip files. That was always a disaster waiting to happen.
github.com
It's only a few lines of code, so I think it will possibly maybe probably work on anything newer than 10.6, but I've only tested it on 10.9. SIMBL is required.
After installing the plugin, restart Apple Mail. You'll know that it's working if you can email yourself a folder (drag a folder into the compose window) and it arrives as a zip file rather than a folder. (Hint: it isn't actually possible to attach folders to an email, which is why this feature existed in the first place.)
Please note: I made this today in 90 minutes, between the time I woke up and the time I had to start work. I believe it will fix the vulnerability, but if I'm wrong somehow and you get hacked anyway, I accept zero responsibility. 🙂
Anyway, just wanted to share. Hopefully it works and is useful, and I didn't scare anyone too much. There are of course other vulnerabilities in old software, but most of them don't worry me like this one did.
† Apple's update did not, however, actually stop Mail from automatically extracting zip files, so expect this to come back at some point...
- If Apple Mail sees an email with an attached zip file and some special metadata, it will extract the zip file automatically. The user does not have to do anything.
- Because Apple Mail doesn't handle symlinks properly, a zip file could overwrite any other file in Apple Mail's sandbox with its own version when extracted
- The list of mail rules is stored inside of Apple Mail's sandbox.
Apple fixed the problem last summer in High Sierra and newer†, but I'm running Mavericks. So I spent some time this morning writing a SIMBL plugin to remove the underlying problem, which is that Apple Mail will automatically extract certain zip files. That was always a disaster waiting to happen.
Releases · Wowfunhappy/Fix-Apple-Mail-CVE-2020-9922
Contribute to Wowfunhappy/Fix-Apple-Mail-CVE-2020-9922 development by creating an account on GitHub.
github.com
It's only a few lines of code, so I think it will possibly maybe probably work on anything newer than 10.6, but I've only tested it on 10.9. SIMBL is required.
SIMBL is an open source framework for injecting code into Cocoa apps. Over the years, developers have created different versions of SIMBL for different versions of OS X. I generally recommend:
- SIMBL 0.99 on 10.6 Snow Leopard.
- EasySIMBL on 10.7 and 10.8.
- Mavericks SIMBL on 10.9 Mavericks. (This is my package, and to my knowledge the only option on 10.9.5 build 13F1911.)
- mySIMBL on OS X 10.10 – 10.12.
- MacForge on macOS 10.13+
/Library/Application Support/SIMBL/Plugins/.After installing the plugin, restart Apple Mail. You'll know that it's working if you can email yourself a folder (drag a folder into the compose window) and it arrives as a zip file rather than a folder. (Hint: it isn't actually possible to attach folders to an email, which is why this feature existed in the first place.)
Please note: I made this today in 90 minutes, between the time I woke up and the time I had to start work. I believe it will fix the vulnerability, but if I'm wrong somehow and you get hacked anyway, I accept zero responsibility. 🙂
Anyway, just wanted to share. Hopefully it works and is useful, and I didn't scare anyone too much. There are of course other vulnerabilities in old software, but most of them don't worry me like this one did.
† Apple's update did not, however, actually stop Mail from automatically extracting zip files, so expect this to come back at some point...
Last edited:
