The shell script security exploit exposed and then fixed in Tiger Mail has been reintroduced into Leopard Mail.

The loophole allows a sender to disguise an executable file (say, a shell script) as an image or some other harmless file. When clicked on, the executable file runs. Don’t remember? See the Hawk Wings post at the time (Feb, 2006).

Now, it’s back. You can test for yourself. The Heise Security web site offers to send you a test email. Give them an email address and after a confirmation, the email arrives:

CLick on the “jpg” to open it, and it runs a shell script, listing your current directory and exiting harmelessly:

Last time, the news prompted a range of responses, some of them rather hysterical. One writer even claimed that it made Mail.app too dangerous to use.

I am happy to follow John Gruber’s lead (again). As he said last time:

“It boils down to this: you can’t safely double-click files from untrusted sources, and you never could. This is no different today on Mac OS X 10.4 than it was a decade ago on Mac OS 8 and 9.”

Puzzling that it’s back, yes. But dangerous? No more than usual.

UPDATE: “FatYank” provides a quick fix in the comments for those who are really worried about this:

The workaround for this is to rename Terminal. When you rename Terminal and double click on the JPG, you get a message stating that Preview cannot open the file.

Or, as Rob points out, you could use Quickview to view attachments first, in which these “fake” file show up as empty.

Thanks!

[Via The Register ]mail.app, apple mail, leopard mail, security, shell script, bug, apple, tiger mail, exploit

Melvin Rivera has written a nice tutorial for Mail users explaining how to get a digital certificate from Thawte and how to use Mail.app’s digital signature and encryption features.

He outlines the process for creating an account at Thawte and requesting a certificate and then installing it.

Further sections follow on the difference between a digitally signed and an encrypted message, and how to use them.

It’s interesting to compare Melvin’s take on secure email in Mail.app with Matt Haughey’s experience , which wasn’t so positive.

Melvin thinks it works well and is a good tool to have in your email armoury:

Other than the process of going though an external website for obtaining a certificate, Mail’s integration of signed and encrypted messages is seamless. It’s a great feature that is just hidden until needed. Making the user experience simple and clean. And there’s nothing like discovering a great new feature on an App you’ve been using for a long time now.

Joar Winfor has also produced a more detailed walkthrough for secure email in Mail.app, but more detail is not always good for everyone.thawte, certificate, X.509, digital signatures, encryption, secure email, security, mail.app, apple mail

The latest version of Thunderbird is more stable and brings the email client up to date with the latest Mozilla security fixes.

The update also brings some welcome improvements for Mac users.

Newsgroups are no longer “over-abbreviated” and HTML text cut from Firefox 1.5.0.5 now pastes into an email message properly.

You can read a fuller list of improvements and bugfixes on The Rumbling Edge, Mozilla’s Development blog.

Thunderbird 1.5.0.5 is available from the Mozilla web site .

[Thanks, Bronson]thunderbird, email, security, HTML, firefox

Not long ago Daniel Jalkut discovered that Dashboard calls home to Apple to check for widget updates. Today I discovered that Mail.app does the same thing.

Recently at my real work but not at home, Mail has been hanging for 30 seconds to a minute each time I tried to reply to an email. I would hit the Reply button and have time to make a cup of coffee in the kitchenette before the reply window appeared.

Luckily, the network administrator at the College, Tim Bell, has god-like tcpdump powers. He uncovered what was happening.

Each time I reply to a message, Mail attempts to contact an Apple server through port 80. That’s not a problem at home, but it is at work, where port 80 is blocked and a proxy redirects all HTTP traffic through another port. Mail didn’t respect my proxy settings. It carried on regardless with a process that eventually failed after lengthy delay.

Tim opened the port so that we could see what Mail was trying to do.

Mail was sending the following request based on my .Mac username to certinfo.mac.com (17.250.248.148):

GET /lookup?timgaden HTTP/1.1

In response, it was getting:

The third line in base64 decodes to G\x92\x06\x1777V\xd6W2 (where \x?? means the non-ascii character 92 (in hex), etc.) – so Tim tells me – and the fourth line to acceptance (with a trailing space).

Once we understood the problem, we could google for an answer. It turns out that Jonathan Wight experienced the same thing a year ago. He also provides a fix: delete the ~/Library/Preferences/com.apple.security.plist preferences file.

I’m not suggesting that anything nefarious or underhand is happening here, but it still puzzles me on three fronts.

First, what exactly is it checking and what is the undecipherable response? Is it checking my iChat certificate?

Secondly, why should Mail try to do this when I am replying to a message in my work account on my work server?

Thirdly, why is Mail so stupid? What design oversight makes it overlook my system-wide proxy settings and carry on banging away at port 80, giving me endless delays? Normally, Mail.app helps me to get things done, but not here.

UPDATE: MacGeekery has posted an interesting take on this, which is worth a read.

I hope I made it clear in my post above – although perhaps I didn’t – that I do not think Apple is stealing my credit card information or looking for cracked software or turning my computer into a drone for Apple press releases or doing anything else untoward.

I do think it is puzzling that my proxy settings were ignored and that Mail.app was thus unusable for up to a minute everytime I tried to reply to a message. I do think it is puzzling that the fix was so hard to find. I do think it is fair to expect better of Apple than this.

[Thanks for your help this afternoon, Tim. All my tcpdump are belong to you.]mail.app, apple mail, security, certificates, port 80, reply, hanging, spinning beachball of death, bug, proxy

GPGMail plugin users take note. According to a Hawk Wings reader, emails signed with the GPGMail plugin may not be as safe as you think.

He writes,

I thought you might like to know that there is a serious security flaw in the gpgmail plugin. I discovered the vulnerability a few weeks ago, though I’m not the first to do so.

The problem is that if gpgmail detects a valid signature for part of a message, it displays a notice to say that the message is signed, even if parts of it are not. As a result, it is possible for an attacker to add arbitrary data (extra text, attachments, etc) to a signed message and it will appear to the user that the whole message is signed.

There is more detailed discussion in the mailing list archives:

http://www.sente.ch/Lists/gpgmail-users/List.html

The username and password required to view the archives are “sente” and “sente”.

[Thanks, Nicholas]privacy, digital signatures, security, mail.app, apple mail, plugins, GPGMail

NetShred is a stand-alone app that protects your privacy on the Internet by shredding the browsing histories, caches and deleted items of your browsers and email clients.

Of course, it supports Mail.app, Safari and Firefox. It even supports Eudora and Mailsmith.

A new version released today adds Camino (excellent! ), Shiira and Opera to that list. Thunderbird is now also supported.

It can erase and/or overwrite (not just delete) the following: browser caches, Internet histories, email trash, download caches, your quicktime cache, favicons and cookies.

NetShred X is a universal binary. It’s shareware (USD 19.95) and a demo is available from the developer’s web site . privacy, email, mail.app, apple mail, thunderbird, camino, security

Langenhoven offers a Greasemonkey script for Firefox that will encrypt Gmail messages.

It achieves this by using RSA type encryption in Javascript.

The site also offers a utility for producing the public and private keys needed for encryption.

I haven’t tested this but the results look like the real thing:

Read the Known Issues section to discover that it works best in Firefox 1.5 or greater and that some of the buttons are troublesome.gmail, encryption, greasemonkey, firefox, public public, private keys, email, security