Thursday, June 23, 2011

Apple fixes CVE-2011-0207 in Mac OS X v10.6.8 / Security Update 2011-004


In today's update, Apple is fixing a security issue that was disturbing for me to see, but is definitely not even close to the most serious security holes in the update (there are several that look like they would be useful in creating drive-by -> code execution).  

Just for the sake of documenting this bug fully, here are some details.  The issue only affects MobileMe users and is that upon attempting to compose your first email after launching Mail.app, cleartext requests are made to Apple servers and return back a list of your email aliases.  

When users want to secure the traffic from Mail.app, they would typically enable SSL for incoming and outgoing mail, which happens to be the default for MobileMe accounts, and also likely disable the loading of remote images.

Incoming, Outgoing, and Remote Images:


However despite these settings your aliases are transferred in the clear, exposing MobileMe usernames and alternate identities on the wire.  The data returned looks something like this:

<?xml version="1.0" encoding="UTF-8"?>
<Aliases xmlns="http://www.me.com/xml/1.0/alias">
    <DisposableEmail>
        <email>ThisIsSomeAlias@me.com</email>
        <color>#737373</color>
        <alias>this is some alias</alias>
        <name>my alter ego</name>
    </DisposableEmail>
</Aliases>

I should note that in my tests, downgrading from digest authentication to basic authentication failed to leak the user's MobileMe password.  So unlike in the case of the CVE-2010-3831, which I found using the same old silly proxy server method, this was far less serious.  Though it is worth noting a web page can trigger this behavior simply by pushing your browser to a "mailto:" URL, so it could be done on demand assuming Mail.app isn't already running.

Not that it should be a surprise to anyone, but I was also able to spoof a response from the server that caused my available "From" addresses to include attacker created/injected email addresses.  I was not able to make mail use any of these addresses by default on creation of new mail.

Regarding iCloud, I hope that Apple is taking this opportunity to make it so that bugs like this are mitigated through design.  If you have a fancy new web service, why not kick it off by doing all the things you're supposed to.  For example, if they allow HTTP/unencrypted access to iCloud services I will be really disappointed.

Apple's advisory is available at http://support.apple.com/kb/HT4723
The update is available via Software Update