A newly discovered exploit affects more than 30 widely used email applications, could allow attackers to spoof sender addresses and, in some cases, carry out cross site scripting (XSS) and code injection attacks. “Mailsploit” is the collective name for several vulnerabilities affecting email clients, including Microsoft Outlook 2016, Mail for Windows 10, Apple Mail (including macOS, iOS, and watchOS versions), Mozilla Thunderbird, and Yahoo Mail for iOS and Android.
Mailsploit was discovered by security researcher Sabri Haddouche, who published his findings on Tuesday December 5. Haddouche said Mailsploit had been found and confirmed in 33 different products.
What is Mailsploit?
If successfully exploited, Mailsploit allows an attacker to falsify the address an email appears to come from. It takes advantage of a flawed implementation of RFC-1342, a 25-year-old recommendation for displaying non-ASCII text in mail headers, and allows an attacker to create headers that insert various bytes into the “from” line in an attempt to mask the true sender.
This could allow an attacker to increase their chances of successfully delivering a malicious email to a target since the recipient is more likely to open it if it appears to come from a trusted source.
Spoofing email headers was once a fairly trivial thing to do, but the practice was curtailed by the rollout of new safeguards such as Domain-based Message Authentication, Reporting and Conformance (DMARC). Mailsploit could allow an attacker to create a spoofed email that will bypass DMARC.
Additionally, in the case of some affected email clients, Mailsploit also permits code injection and cross XSS attacks. These include Spark, a mail client for MacOS and iOS, MacOS clients Polymail and Airmail, and mobile apps TypeApp and AquaMail.
Mitigation status of affected software
To date, Mailsploit has been patched in eight products and triaged on 12 more products. Two vendors—Mozilla and Opera—said they won’t fix the bug because they consider it to be a server-side problem. Apple Mail, Mail for Windows, and Outlook 2016 are all listed as triaged. The bug has been fixed in Yahoo Mail for iOS and Android.
A full list of affected products and mitigation status is available here.
Symantec Email Security.cloud and Symantec Messaging Gateway (SMG) message filtering are not affected by any of the vulnerabilities reported at www.mailsploit.com. For general message handling and sender authentication, we do not attempt to decode the local part of the “From” header’s email address. Symantec products are also not susceptible to the XSS/Code Injection portion of the vulnerabilities.
Symantec has the following protection in place to protect customers against these attacks: