Security Bug back for Leopard Mail
The shell script security exploit exposed and then fixed in Tiger Mail has been reintroduced into Leopard Mail.
The loophole allows a sender to disguise an executable file (say, a shell script) as an image or some other harmless file. When clicked on, the executable file runs. Don’t remember? See the Hawk Wings post 
at the time (Feb, 2006).
Now, it’s back. You can test for yourself. The Heise Security web site offers to send you a test email. Give them an email address and after a confirmation, the email arrives:
CLick on the “jpg” to open it, and it runs a shell script, listing your current directory and exiting harmelessly:
Last time, the news prompted a range of responses, some of them rather hysterical. One writer even claimed that it made Mail.app too dangerous to use.
I am happy to follow John Gruber’s lead (again). As he said last time:
“It boils down to this: you can’t safely double-click files from untrusted sources, and you never could. This is no different today on Mac OS X 10.4 than it was a decade ago on Mac OS 8 and 9.â€
Puzzling that it’s back, yes. But dangerous? No more than usual.
UPDATE: “FatYank” provides a quick fix in the comments for those who are really worried about this:
The workaround for this is to rename Terminal. When you rename Terminal and double click on the JPG, you get a message stating that Preview cannot open the file.
Or, as Rob points out, you could use Quickview to view attachments first, in which these “fake” file show up as empty.
Thanks!
[Via The Register ]
Similar Posts:
- Security flaw with scripts in Mail.app
- RCMail: Remotely control your Mac by email
- Fix for Leopard Mail’s broken new mail alert
- Scripts to automate the Mail.app Envelope speed trick
- Remotely control your Mac via AppleScript
Tags: Apple, Apple Mail, bug, exploit, leopard mail, mail.app, security, shell script, Tiger Mail
November 21st, 2007 at 9:20 am
I wonder if qc dropping has anything to do with the void left by Avie leaving Apple some time ago.
November 21st, 2007 at 10:04 am
“It boils down to this: you can’t safely double-click files from untrusted sources, and you never could. This is no different today on Mac OS X 10.4 than it was a decade ago on Mac OS 8 and 9.â€
I do wish Gruber was occasionally willing to not be quite such a fanboy. I love Apple too, but that doesn’t mean everything they do is right.
If Apple’s built-in apps like Mail.app and Finder.app tell me an incoming file is a JPG or some other non-executable file, I very much do expect to be able to safely double-click on it.
November 21st, 2007 at 10:12 am
Do you think Gruber is a fanboy? It would peg him as “critically loyal”.
November 21st, 2007 at 11:27 am
Don’t get me wrong. I read Gruber daily and enjoy his writing.
But he seems to think of himself as acting as a counterbalance to the mindless Apple bashers out there. And that leads him to often act as a mindless Apple booster.
November 21st, 2007 at 6:04 pm
I don’t understand… this isn’t happening with me on my 10.5.0 Mail. When I get that email, double-clicking it in Mail or in Finder will put up a warning about having downloaded it from the Internet, that it will open in Terminal, and that it might not be safe.
If I tell it to open, it’ll open in Terminal, just like I was told.
Once you’ve allowed it once, it’ll keep opening without question. But there’s a warning first, just like there should be.
Should you be able to fake an application up to look like a jpg? No, but at least there’s a warning now.
November 21st, 2007 at 7:11 pm
Hmmmm… Now I don’t understand. I am not getting any of those warnings in Leopard Mail.
November 21st, 2007 at 8:16 pm
Save the attachment, Tim, and look at it in Finder.
If you choose “Get Info”, then under the “General” section you’ll see that Finder identifies the “Kind” as “JPEG image”.
(You’ll see that the “Open with” section (if it’s visible) says “Terminal”.)
Gruber will say what Gruber would say, but don’t you think it somewhat concerning that the OS *doesn’t know what it’s got*? Look at that file on a Linux machine and it is identified as type “plain text”.
OS X doesn’t know what it’s got.
To compound matters, although the OS is absolutely certain that it has a JPEG there, it will, nevertheless, blithely open the file, out of an email, in what is *not* what you’ve got set as the default editor for JPEGs.
I’m sure they’ll patch it pretty soon, so that it will ask. But what if someone clicks “yes” meaning “no”? And, more broadly, I have to wonder why it’s asking such a stupid question in the first place?
It would seem better if Apple made it so that their mail client couldn’t read this ridiculous “AppleDouble” encoding at all.
November 21st, 2007 at 8:50 pm
Sure, I understand how the trick works and that it is a flaw in Mail.app’s security.
What puzzles me are two things – first, that some people are getting the Tiger-era alerts in Leopard Mail (so Jasonian suggests above) and, secondly, that people do not seem to exercise due caution with the content of their email and expect the mail client to make judgement calls about that is safe to open or not.
I agree that Mail should be smarter about this — and as you say, soon will be again — but it should never be a user’s first line of defence. Common sense should be.
November 21st, 2007 at 9:53 pm
The workaround for this is to rename Terminal. When you rename Terminal and double click on the JPG, you get a message stating that Preview cannot open the file.
November 21st, 2007 at 11:40 pm
The REAL workaround is to just use Quicklook instead of double-clicking on attachments.
Quicklook shows the document as an empty file icon, so you’ll know its not really a JPEG.
Seriously needs to be fixed though.
November 21st, 2007 at 11:46 pm
Rob, an excellent “Leopardy” solution!
November 22nd, 2007 at 12:22 am
“and, secondly, that people do not seem to exercise due caution with the content of their email and expect the mail client to make judgement calls about that is safe to open or not.”
The problem is that there are a number of historical PC worms that work by sending emails to people in your address book.
If such a worm ever appeared on OS X, folks would get emails from trusted addresses, with links to innocent seeming JPG’s. At that point, a lot of folks with perfectly good judgment would double click the JPG, and have hell break loose on their machine.
Trusting Mail.app and Finder.app to give you accurate information about what you’re dealing with and what the consequences of double clicking might be is crucial to protecting folks with perfectly good judgment.
November 22nd, 2007 at 12:56 am
Yes, Chucky has it: the email you receive may APPEAR to be from a trusted source. With a title like, “I have a daughter!” or “Jan and me on the pier” or “This comic pretty much sums up my life right now.” or something that might lead you to instinctively click to see. After all, it is from someone you know.
Remember, mail can easily be forged, and as Chucky points out, it would not be hard to have that JPG you click on send emails to 5 of your address book entries to pass it on.
November 22nd, 2007 at 3:31 am
On my PowerBook it always runs though unnoticed at the first click, but shows the warning dialog for subsequent clicks.
  If I download the attachment first the warning always shows.
To try this more than once you have to delete the file from Library/Mail Downloads each time…
I have a PowerBook 1,25GHz running an all updated 10.5.1. Perhaps my machine is too slow to write the extended attributes before it’s already running the first time :-)
November 22nd, 2007 at 11:00 am
Hmm. On my clean install of Leopard, I get this warning when double-clicking the attachment:
““Heise.jpg†may be an application. It was attached to a mail message and will be opened by Terminal. Are you sure you want to open it?”
I find this to be sufficient warning, but I don’t understand why everyone is not getting this warning. In any event, it is not clear that the “security shell exploit has been reintroduced.”
November 25th, 2007 at 3:02 am
There is no such thing as a safe file. :)