[ENABLESECURITY] Apple's Mail.app stores your S/MIME encrypted emails in clear text Oct 06 2008 08:05AM
publists enablesecurity com
Just published the below advisory describing an issue with Mail.app

and a solution. I comment on the flaw on my blog:

http://enablesecurity.com/2008/10/03/apple-mailapp-security-advisory/

An up to date version of the advisory can be found:

http://resources.enablesecurity.com/advisories/apple-mailapp-smime.txt

The advisory was first published on EnableSecurity Newsletter. If

you'd like to subscribe then send an email to

newsletter (at) enablesecurity (dot) com [email concealed]

.....

Apple's Mail.app stores your S/MIME encrypted emails in clear text

Date published: 2008-10-03

Affected version: 3.5 (929.4/929.2)

Unaffected version: Unknown

Summary:

Apple Mail.app does not store S/MIME encrypted emails securely in the

Drafts directory on server.

Impact:

The assumption that the server does not have access to the email

content is violated.

Description:

Apple's Mail.app is the default email application that comes with Mac

OS X machines. It supports S/MIME as standard for encryption and

authentication of emails. However by default Mail.app also has an

option called "Store draft messages on the server" when you are making

use of an IMAP or Exchange server.

The assumption when making use of S/MIME is that no one except you and

the recipient of the email can view your encrypted email - end to end

encryption. Emails are stored in encrypted form on the server and

therefore should not be read by anyone having access to the email

server, thus preventing Man in the Mirity

attacks. What the "Store draft messages on the server" option does is

store a clear text version of the email, until the email is sent.

The problem with this option is that it defies the assumption that the

email is encrypted on the server. This can therefore lead to a false

sense of security and information leakage, which is exactly what

people making use of S/MIME want to prevent.

Solution:

Go to the Preferences and select the account from the accounts tab

Select the "Mailbox behaviors" tab

Uncheck the option "Store draft messages on the server"

Finally, make use of a UPS or similar technology to prevent loosing

your unsaved emails in case of a power interruption or failure.

Mozilla's Thunderbird on Mac OS X is not vulnerable by encrypting the

drafts before they are sent to server. This may also be a way to

mitigate this issue without sacrificing usage of the "Drafts" folder.

Timeline:

Aug 14, 2008: Initial email to Apple's security contact

product-security (at) apple (dot) com [email concealed]

Aug 15, 2008: Was assigned a follow-up id and the security team asked

me for more information.

Aug 17, 2008: Provided full information and explained that this

security issue defies the assumption that with S/MIME email is stored

securely on the server.

Sep 11, 2008: Sent a follow-up email to the Apple security team

without any response

Sep 16, 2008: Another attempt to contact the Apple security team.

Sep 19, 2008: Received a response from Apple letting me know that: "A

complete solution for the issue may involve significant architectural

changes, so at this time it's difficult to estimate the timeframe or

release vehicle for a fix."

DISCLAIMER

The information in this advisory is provided by EnableSecurity as a

courtesy and without any representations or warranties. Recipients

are advised to conduct their own investigation and due diligence

before relying on its contents.

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus