We have received a security notification regarding Apple Mail on all Macs running versions of software older than macOS Mojave 10.14.6, macOS High Sierra 10.13.6, and macOS Catalina 10.15.5, including all versions of the macOS older than 10.13.

If you are running a vulnerable version of macOS, please update your Mac and reboot after doing so immediately. If you cannot update, please remove your email account from Apple Mail and consider using Outlook or Outlook Web Access until you can.

This vulnerability allows an attacker to send a malicious email that can result in access to your email and any account that allows password reset by email. The vulnerability requires only that you receive this email, the attack happens without you reading or clicking on anything. Because this is a ‘no-click’ vulnerability, it is very important that you only use Apple Mail on one of the updated versions of macOS.

If you need help with these steps, please reach out to your LSP.

A technical description of this attack is available at: https://mikko-kenttala.medium.com/zero-click-vulnerability-in-apples-macos-mail-59e0c14b106c