Heise Online has a report outlining how the shell script execution flaw in Safari also applies to Mail.app.

Both apps will execute scripts without asking permission in certain circumstances.

As the report explains:

It suffices to disguise a script with the ending “jpg” and assign the Terminal application for opening it. If this script is then sent in the AppleDouble format as an attachment, the information is passed along so that the recipient’s system also opens it with the Terminal.

Apple Mail displays the attachment with a JPG file symbol, but when users click on it, the script executes within Terminal without further prompting. This has been tested on Apple Mail 2 and Mac OS X 10.4. Older versions display a warning.

You can experience the flaw for yourself. The Heise Online site provides an example email which demonstrates the problem. It arrives with what looks like a JPG attachment. Clicking on the JPG file executes a harmless script in Terminal containing the command /bin/ls -al.

It’s in German, but enter your email address in the text box on this page and click the button marked “Anfordern”. Then click on the link in the confirmation email and an example is on its way to you.

An immediate fix is to move Terminal into a different folder. The general fix, of course, is never to open attachments in emails that you are unsure about.

Thunderbird, the article points out, doesn’t fall for this trick.security flaw, scripts, terminal, mail.app, apple mail, attachments, AppleDouble, bugs

A few days ago Darren posted two AppleScripts in the comments on the post about Zoodo.

I’ve amended them slightly as Daniel Jalkut suggests in the comments and packaged them up in a zip file called QSiCalScripts.zip.

They were originally posted in the Quicksilver forum (currently down), and are designed to be run by a Quicksilver trigger (although they don’t have to be). Darren has tweaked them for a few additional features. (Thanks!).

Dan Dickinson at Primary Vivid has an illustrated tutorial on how to set up a trigger in Quicksilver, as does Coelomic at WordWorks .

There are other ways to do this, of course, but I am hoping that they will appear in the new (Allegedly) Related Posts feature. We will see.iCal, AppleScript, To Do, events, Quicksilver, trigger, scripts

MacSpeech has released a ScriptPak for its iListen software that enables you to control almost every aspect of Mail.app with voice commands.

iListen is MacSpeech’s Dictation, Transcription, Editing, Formatting and Speech Navigation software. Among other things, with iListen “you can press buttons, control the mouse, navigate the Finder and File Dialogs, open and close files, print, etc… all by voice.”

It is not cheap. The most basic, software only option starts at USD 99, with many bundles available which include a microphone headset.

The Mail 2.0 scripts cover a comprehensive list of Apple Mail‘s functions.

The scripts cost USD 10 and are available from MacSpeech’s web site.

[Via TUAW]

FastScripts is an AppleScript management utility that offers several nifty improvements over the way OS X manages AppleScripts.

The developer Daniel Jalkut has released a new, improved version of FastScripts. It sports a redesigned icon and improved handling of the “close” AppleScript command.

FastScripts is an excellent way to manage and launch the many AppleScripts that make Mail.app faster and better to use.

It offers customisable keyboard shortcuts for launching scripts, smarter switching between apps as a script demands it, configurable menu organisation, better menu shortcuts and more.

All of this for USD 15.

Daniel has also released a slimmed-down freeware version of the app called “FastScripts Lite”. It is missing some features that owners of the shareware version enjoy.

Both are available on his Red Sweater Blog.

Perhaps it’s not too late to point out that FastScripts is Number Eleven on the list of Top Ten Things every Mail.app user should have, even higher if you use AppleScripts a lot.