Both apps will execute scripts without asking permission in certain circumstances.
As the report explains:
It suffices to disguise a script with the ending “jpg” and assign the Terminal application for opening it. If this script is then sent in the AppleDouble format as an attachment, the information is passed along so that the recipient’s system also opens it with the Terminal.
Apple Mail displays the attachment with a JPG file symbol, but when users click on it, the script executes within Terminal without further prompting. This has been tested on Apple Mail 2 and Mac OS X 10.4. Older versions display a warning.
You can experience the flaw for yourself. The Heise Online site provides an example email which demonstrates the problem. It arrives with what looks like a JPG attachment. Clicking on the JPG file executes a harmless script in Terminal containing the command /bin/ls -al.
It’s in German, but enter your email address in the text box on this page and click the button marked “Anfordern”. Then click on the link in the confirmation email and an example is on its way to you.
An immediate fix is to move Terminal into a different folder. The general fix, of course, is never to open attachments in emails that you are unsure about.
Thunderbird, the article points out, doesn’t fall for this trick.
- Security Bug back for Leopard Mail
- Mail Attachments Iconizer: Toggling attachments on and off
- TNEF’s Enough: Dealing with winmail.dat files
- Mail Attachment Iconizer updated, Leopard ready
- Attaché: Droplet for quick Mail.app attachment lists
Tags: Apple Mail, AppleDouble, attachments, bugs, mail.app, scripts, security flaw, Terminal