[Swordmaker]

"The vulnerability allows remote HTML content to be loaded in an email, which replaces the content of the email message. Soucek wrote he then built a functional password collector using HTML and CSS. He also published a demonstration video."

Oh, Good Grief. . . Souçek really is stretching on this one. . . he's the same guy who claims Apple hasn't fixed the other so-called iCloud vulnerability he claims to have found. This time he is claiming the ability of Apple Mail to display HTML and execute HTML scripting is a vulnerability because it can be used for phishing attacks against users of email.

The standard rules of using email of not inputing any user names or passwords into any email or attachments still stand and clicking on any links in an email is a stupid thing to do, regardless if it is a imbedded HTML or a remote HTML installed by a script in the email. Whichever it is, it is still a PHISHING attack on the user, nothing more.

Almost all email clients can display HTML and it is not a vulnerability and is an intended feature. It can be turned off if the user does not wish to see HTML displayed content. In fact, email containing HTML can be blocked from being received.

[Swordmaker]

A so-called "security researcher" claims to have discovered a flaw in Apple Mail that could allow hackers to get iCloud passwords. The "Flaw"? Apple allows Apple Mail to display HTML code in email. Such HTML code could be used to trick email users into thinking they were looking at an Apple iCloud log-in page and enter their credentials. SHEESH and Good Grief and other expressions of astonishment at such sheer stupidity of thought from a "security researcher" and the editors who swallow such bilge. That's what a PHISHING expedition in email does and IS, for Pete's Sake! — PING!

Apple Security for "Security Researchering" Idiots
Ping!

If you want on or off the Mac Ping List, Freepmail me.