AirMail 3 for macOS users are being warned about four possible exploits. One of these could be triggered simply by opening an email. Until these issues are resolved, folks are being encouraged not to use the software.
First discovered by VerSprite, the first exploit can arrive in an email that includes a link containing a URL request. That, in turn, could use a “send mail” function to send an email back without the user’s knowledge.
As part of its discovery, VerSprite researchers have also found code in AirMail 3 that makes the client attach files to an outbound mail automatically. This could allow someone to receive emails and attachments without a user’s knowledge.
A third AirMail 3 vulnerability, called an “incomplete blacklist” of HMTM Frame Owner Elements, might allow someone to use Webkit Frame instances to be opened through email.
Finally, a fourth vulnerability could activate just by opening an email, thereby requiring no clicking to get started. In some situations, the EventHandler navigation filter could be bypassed, allow an embedded HTML element to open without any user intervention.
According to AppleInsider, Airmail on sending out a fix “probably today.” However, it also said the potential impact of the exploit is “very hypothetical,” noting that no users have reported a problem.
Meanwhile, researcher Fabius Watson has a simple suggestion to AirMail users: “I would avoid using Airmail 3 until this is fixed.”
We’ll continue to follow this story and provide updates as warranted.