Mail.app in 10.12 and 10.13.2 beta 6 Vulnerable to Mailsploit Exploit

Originator:broccardo
Number:rdar://35880860 Date Originated:12/6/2017
Status:Open Resolved:
Product:Mail.app Product Version:10.3 build 3273 and 11.2 build 3445.5.20
Classification:Security Reproducible:Yes
 
Summary:
Please see here for full details: https://www.mailsploit.com/index

Mail.app in both 10.12.6 (Version 10.3 / 3273) and 10.13.2 beta 6 (Version 11.2 / 3445.5.20) are vulnerable to spoofed sender messages as outlined above.

Steps to Reproduce:
Using the testing tool provided by the Mailspoit explanation site, send test messages. In either version of Mail.app, check for delivery of messages.

Expected Results:
In properly patched client, the spoofed messages should be rejected and/or flagged as suspect.

Actual Results:
Test messages are received in the In Box without further warning

Version/Build:
10.12.6 (16G1036) and Mail 10.3 build 3273
10.13.2 beta 6 (17C85a) and Mail Version 11.2 build 3445.5.20

Comments

Has been marked as a duplicate


Please note: Reports posted here will not necessarily be seen by Apple. All problems should be submitted at bugreport.apple.com before they are posted here. Please only post information for Radars that you have filed yourself, and please do not include Apple confidential information in your posts. Thank you!