The shell script security exploit exposed and then fixed in Tiger Mail has been reintroduced into Leopard Mail.

The loophole allows a sender to disguise an executable file (say, a shell script) as an image or some other harmless file. When clicked on, the executable file runs. Don’t remember? See the Hawk Wings post at the time (Feb, 2006).

Now, it’s back. You can test for yourself. The Heise Security web site offers to send you a test email. Give them an email address and after a confirmation, the email arrives:

CLick on the “jpg” to open it, and it runs a shell script, listing your current directory and exiting harmelessly:

Last time, the news prompted a range of responses, some of them rather hysterical. One writer even claimed that it made Mail.app too dangerous to use.

I am happy to follow John Gruber’s lead (again). As he said last time:

“It boils down to this: you can’t safely double-click files from untrusted sources, and you never could. This is no different today on Mac OS X 10.4 than it was a decade ago on Mac OS 8 and 9.”

Puzzling that it’s back, yes. But dangerous? No more than usual.

UPDATE: “FatYank” provides a quick fix in the comments for those who are really worried about this:

The workaround for this is to rename Terminal. When you rename Terminal and double click on the JPG, you get a message stating that Preview cannot open the file.

Or, as Rob points out, you could use Quickview to view attachments first, in which these “fake” file show up as empty.

Thanks!

[Via The Register ]

Tags: Apple, Apple Mail, bug, exploit, leopard mail, mail.app, security, shell script, Tiger Mail