Users Discover a Major Security Flaw in Apple’s OS X Yosemite

Scott Calonico

The latest version of Apple’s OS X operating system, Yosemite, brought with it some of the most significant changes seen in some time, including a “love it or hate it” visual overhaul.

Some of the most notable enhancements in Yosemite relate to Apple’s operating system-wide search facility, Spotlight. 

Spotlight has always been a major selling point for OS X, and although Mac-haters will probably disagree, it’s fair to say that despite significant improvements over the years, Microsoft have yet to match the efficiency and sophistication of Spotlight when it comes to Windows search functionality.

The “New Spotlight”

The new Spotlight function in Yosemite, accessed via a menu bar icon or a simple (CMD+SPACE) keyboard shortcut, allows Mac users to search for anything on their system from one simple search box. It’s then possible to view a live preview of each item from within the search results window.

The search results encompass everything from text within documents to items within a user’s Internet browsing history. Spotlight’s results also include the content of email messages, and this is where things have gone a bit wrong for Apple in this iteration.

The Flaw

According to a number of online reports, users and researchers have discovered a significant potential security flaw in how Spotlight interacts with the Apple Mail client.

Essentially, Apple’s preview window shows the entire content of messages that match a search term, including any HTML content (such as embedded pictures and logos). The problem, which will immediately be apparent to technical individuals, is that hackers often use this embedded content for malicious purposes by, for example, including “tracking pixels” that can provide unauthorised access to system details that shouldn’t be readily available.

According to a Techspot article, user findings have also been replicated by IDG News Services, who have confirmed that the way Spotlight interacts with Apple Mail messages does present a genuine security risk to users. The issue is made worse by the fact that Spotlight includes unopened “junk” emails in the search results, which under usual circumstances users would never risk opening, let alone allow the download of any embedded pictures.

The Fix

At the time of writing, Apple had yet to make any formal acknowledgement of the issue, leaving users to change a setting to reduce the security risk.

The setting in question is found within OS X Yosemite’s “System Preferences,” and essentially blocks Spotlight from indexing emails and messages. Of course, the problem here is that disabling this functionality also prevents Mac users from enjoying the genuinely useful email search functionality that Spotlight offers.

For this reason, there will currently be plenty of Mac users out there in a hurry to see Apple issue an acknowledgement and a patch. Perhaps this is another one that should be issued as a forced automatic update, just like the one before Christmas that we discussed in this article.