Apple Fixed macOS Mail Vulnerability That Exposed Text of Encrypted Emails in macOS Catalina 10.15.3

MacRumors

macrumors bot
Original poster
Apr 12, 2001
47,052
9,053



Apple in macOS 10.15.3 quietly addressed a bug that left some of the text of encrypted emails unencrypted, reports The Verge.

This particular vulnerability was publicized back in November, after IT specialist Bob Gendler found that the snippets.db database file used by a Siri feature to offer up contact suggestions stored encrypted emails in an unencrypted format.

A demonstration from Gendler showing the bug. The image features a private key that has been made unavailable in Mail, rendering the message unreadable. It continues to be available in the database, though.​

Gendler reported the bug to Apple in July, but shared details in November after Apple failed to fix it. After the bug was announced to the public, Apple promised that a fix was coming in a future version of macOS.

Only a small number of people were affected by the bug because it required a very specific set of steps to reproduce. It required customers to be using macOS and the Apple Mail app to send encrypted emails. It did not impact those who had FileVault turned on, and a person who wanted to access the information would have also needed to know where in Apple's system files to look and have had physical access to a machine.

Apple didn't mention the bug fix when macOS Catalina 10.15.3 was released last week, but the update does indeed appear address the issue, Gendler told The Verge.

According to Gendler, macOS Catalina 10.15.3 prevents encrypted emails from appearing in Spotlight searches, and the database file that used to include encrypted emails no longer does so.

Article Link: Apple Fixed macOS Mail Vulnerability That Exposed Text of Encrypted Emails in macOS Catalina 10.15.3
 

CarlJ

macrumors 68040
Feb 23, 2004
3,538
5,520
San Diego, CA, USA
Apple in macOS 10.15.3 quietly addressed a bug that left some of the text of encrypted emails unencrypted, reports The Verge.
These security changes that are reported as "quietly addressed" are usually explained with a bit of detail on the security-related emails that Apple always sends out around the time of software updates, if you're on the right mailing lists. They list the holes patched, the potential for damage, who reported it, and the CVE numbers associated with the vulnerabilities.
 

konqerror

macrumors 65816
Dec 31, 2013
1,492
2,471
These security changes that are reported as "quietly addressed" are usually explained with a bit of detail on the security-related emails that Apple always sends out around the time of software updates, if you're on the right mailing lists.
Wrong. There's nothing matching this issue in the announcements.

Even if they did, have you ever read those security announcements? They have the least amount of information possible. Everything is usually a "logic issue". Microsoft is far more informative with affected versions, mitigations (i.e. turn on FileVault), CVSS scores, etc.

Security
Available for: macOS Catalina 10.15.2
Impact: A malicious application may be able to break out of its sandbox
Description: A logic issue was addressed with improved restrictions.
CVE-2020-3854: Jakob Rieck (@0xdead10cc) and Maximilian Blochberger of the Security in Distributed Systems Group of University of Hamburg
Entry updated February 3, 2020
 

Analog Kid

macrumors 601
Mar 4, 2003
4,891
2,971
Just read yesterday's publication (or from two days ago) regarding a vulnerability in Google, you will find plenty of those messages.
Then it should be easy to quote one.

“Find the publication in the last few days” isn’t a proper citation. I’ve no idea what you’re talking about.
 
  • Like
Reactions: Timothy Leo Crowley

Hastings101

macrumors 68020
Jun 22, 2010
2,127
758
K
Then it should be easy to quote one.

“Find the publication in the last few days” isn’t a proper citation. I’ve no idea what you’re talking about.
This kind of thing only happens to evil Google, Microsoft, or Android.

“This kind of thing only happens to evil Google, Microsoft, or Android.” (Hastings101)

Hastings101. Apple Fixed macOS Mail Vulnerability That Exposed Text of Encrypted Emails in macOS Catalina 10.15.3. Macrumors forums, February 6, 2020. Macrumors. https://forums.macrumors.com/threads/apple-fixed-macos-mail-vulnerability-that-exposed-text-of-encrypted-emails-in-macos-catalina-10-15-3.2222410/.
 

CarlJ

macrumors 68040
Feb 23, 2004
3,538
5,520
San Diego, CA, USA
me:
are usually explained.
you:
Wrong. There's nothing matching this issue in the announcements.
I’m thinking you may not understand the word “usually” or maybe the word “wrong”. These kinds of issues usually do get some explanation in the security announcement emails from Apple. I get them most of the times that new point releases come out from Apple - often I am alerted to new point releases by the arrival of those messages. So I stand by my statement - it’s not wrong. If they haven’t included it in the mail this time, that doesn't negate the fact that they usually do.
 
  • Disagree
Reactions: konqerror

MDF314159265

macrumors 6502
Sep 4, 2010
304
705
Temecula, CA
What if all these “bugs” or “potential security vulnerabilities” were “secretly” placed by Apple intentionally only to later be used as an excuse to push another “update” to “patch” those “bugs/vulnerabilities,” but they’re really just pushing more software to break/slow older devices? And “security” is used as a scare tactic to make you wanna update? 🤯
 

Analog Kid

macrumors 601
Mar 4, 2003
4,891
2,971
What if all these “bugs” or “potential security vulnerabilities” were “secretly” placed by Apple intentionally only to later be used as an excuse to push another “update” to “patch” those “bugs/vulnerabilities,” but they’re really just pushing more software to break/slow older devices? And “security” is used as a scare tactic to make you wanna update? 🤯
Ah yes, the old "drag the company reputation through the mud to encourage new sales" trick. Very clever indeed!