The shell script security exploit exposed and then fixed in Tiger Mail has been reintroduced into Leopard Mail.
The loophole allows a sender to disguise an executable file (say, a shell script) as an image or some other harmless file. When clicked on, the executable file runs. Don’t remember? See the Hawk Wings post at the time (Feb, 2006).
Now, it’s back. You can test for yourself. The Heise Security web site offers to send you a test email. Give them an email address and after a confirmation, the email arrives:
CLick on the “jpg” to open it, and it runs a shell script, listing your current directory and exiting harmelessly:
I am happy to follow John Gruber’s lead (again). As he said last time:
â€œIt boils down to this: you canâ€™t safely double-click files from untrusted sources, and you never could. This is no different today on Mac OS X 10.4 than it was a decade ago on Mac OS 8 and 9.â€
Puzzling that it’s back, yes. But dangerous? No more than usual.
UPDATE: “FatYank” provides a quick fix in the comments for those who are really worried about this:
The workaround for this is to rename Terminal. When you rename Terminal and double click on the JPG, you get a message stating that Preview cannot open the file.
Or, as Rob points out, you could use Quickview to view attachments first, in which these “fake” file show up as empty.
[Via The Register ]
- Security flaw with scripts in Mail.app
- RCMail: Remotely control your Mac by email
- Fix for Leopard Mail’s broken new mail alert
- Scripts to automate the Mail.app Envelope speed trick
- Remotely control your Mac via AppleScript
Tags: Apple, Apple Mail, bug, exploit, leopard mail, mail.app, security, shell script, Tiger Mail