[MlMt] Is MailMate susceptible to this vulnerability? CVE-2020-11879 CVE-2020-11880 CVE-2020-4089

Benny Kjær Nielsen mailinglist at freron.com
Thu Aug 20 14:38:28 EDT 2020


On 20 Aug 2020, at 19:34, Charlie Clark wrote:

> On 20 Aug 2020, at 19:25, Sharjeel Sayed wrote:
>
>> <https://www.zdnet.com/article/some-email-clients-are-vulnerable-to-attacks-via-mailto-links>
>>
>> The research team said it tested 20 email clients for their attack scenario and found that four clients were vulnerable. This list included:
>
> This is in the change log for r5707:
>
> Changed: MailMate no longer trusts the body content of a mailto: link if it contains anything which could be parsed as inline PGP.

This is just an extra safety catch. I don't think anyone needs to update just to get this fix.

Just a quick review: The paper does not state the version of MailMate used for the tests and the public release of MailMate does not behave as described in the paper. The paper describes three issues labelled A1-A3.

* A1: This is about S/MIME certificates. By default, MailMate has never auto-added S/MIME certificates to the keychain, but there was a hidden preference to do it and at some point it also became a GUI setting. This is a problem when a certificate already exists in the keychain since it allows a MITM attack in which the certificate can be replaced without the user noticing. A warning was added to MailMate in, *I think*, version 1.11 (March, 2018).
* A2: This is also a MITM attack in which the attacker needs access to the IMAP server of the victim. MailMate has not (for a very long time) uploaded drafts before the draft has been saved and the window has been closed. This should give the user time to realize that something is wrong with the message (unexpected content in the body part of the message).
* A3: MailMate has never been vulnerable to A3 (attaching arbitrary files).

I'm not quite satisfied with how MailMate handles the A2 scenario. In particular, the public release autosaves a message when the structure of an email changes (this is going to be fixed in the next public release as part of the major changes to the message view). If anyone would like to be extra careful then I recommend taking the Drafts mailbox offline in each account. They only really need to be online if you have a habit of working on drafts in multiple installs of MailMate.

These were just my quick thoughts on the subject. This is unlikely to be the last time someone finds potential security issues in MailMate, but I'll continue to do what I can  to fix them.

-- 
Benny
https://freron.com/become_a_mailmate_patron/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freron.com/pipermail/mailmate/attachments/20200820/7d0f1e73/attachment-0001.htm>


More information about the mailmate mailing list