John Whitehead

**Name of the Vulnerable Software and Affected Versions** macOS versions prior to 10.13 **Description** The issue involves the `Mail` component and allows remote attackers to bypass an intended off value of the `Load remote content in messages` setting. This enables attackers to discover an e-mail recipient's IP address via an HTML email message. **Recommendations** For macOS versions prior to 10.13, update to version 10.13 or later to resolve the issue. As a temporary workaround, consider disabling the `Load remote content in messages` setting in the Mail application to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** OS X versions prior to 10.10.2 **Description** The issue allows attackers to read group-ACL-restricted keychain items of arbitrary apps via a crafted app with a signature from a self-signed certificate or Developer ID certificate. **Recommendations** For OS X versions prior to 10.10.2, update to version 10.10.2 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Apple OS X versions prior to 10.10.2 **Description** The issue allows remote attackers to discover recipient IP addresses by including an inline image in an HTML e-mail message and logging HTTP requests for this image's URL, due to the failure of Spotlight to enforce the Mail "Load remote content in messages" configuration. **Recommendations** For Apple OS X versions prior to 10.10.2, update to version 10.10.2 or later to resolve the issue.