Leopard gets same security flaw as Apple Mail

21 Nov 2007

A security problem in Apple Mail that got fixed in March 2006 has popped up again in Leopard, according to Heise Security.

In a Nov. 20 posting, the security firm said that it had found that users can inadvertently start a potentially malicious executable by double-clicking an e-mail attachment injected with disguised code that looks like a JPEG.

Apple Mail automatically analyzes resource forks that are attached through the MIME format AppleDouble—a file format Apple developed to store these dual-forked (dual, as in having both resource and data forks) files on the Unix file system used in Apple's first Unix-like operating system.

Read more here about patches Apple has issued for Leopard.

According to Heise, an attacker can craft an e-mail attachment called, for example, picture.jpg that is displayed with a JPEG icon. When the user tries to open the picture, Apple Mail analyzes the resource fork and does something unexpected, such as execute a shell script without warning.

Apple fixed the bug in March 2006. With the fix, Apple's Tiger operating system warns users if a purported image file is in fact a program and needs to be opened with Terminal, a terminal emulator in Mac OS X that presents the user with a command line interface.

That fix somehow slipped through the cracks, not making it into Leopard or not getting implemented correctly, Heise said.

In Heise's tests, the Terminal window opened directly in most cases when an attachment was opened. But in one instance, the Terminal window opened initially but not on subsequent double-clicks on the attachment. The test e-mails Heise used were identical except for the subject line and some administrative information in the header.

Apple did not reply to questions regarding the mail bug. An automated reply from an Apple spokesman said that the company is closed down for the week in observance of the Thanksgiving holiday.

print this article