Recite Me

Zero click vulnerability in Apple’s macOS Mail

What's the threat?

A zero-click security vulnerability, tracked as CVE2020-9922, has been found in Apple’s macOS Mail. This could allow a threat actor to add or modify arbitrary files inside the Mail sandbox environment which could result in sensitive information disclosure, and modification of Mail configuration. This could provide access to the victim's mail and allow a threat actor to take over other accounts via password resets, or even to propagate to contacts in a worm-like manner.

Advice on how you can avoid this:

The NCSC generally recommends following vendor best practice advice in the mitigation of vulnerabilities.

For all your IT equipment (so tablets, smartphones, laptops and PCs), make sure that the software and firmware is always kept up to date with the latest versions from software developers, hardware suppliers and vendors. Enable automatic updating where possible.

More cyber security advice and guidance can be found at www.ncsc.gov.uk