The loophole allows a sender to disguise an executable file (say, a shell script) as an image or some other harmless file. When clicked on, the executable file runs. Don’t remember? See the Hawk Wings post at the time (Feb, 2006).

Now, it’s back. You can test for yourself. The Heise Security web site offers to send you a test email. Give them an email address and after a confirmation, the email arrives:

CLick on the “jpg” to open it, and it runs a shell script, listing your current directory and exiting harmelessly:

Last time, the news prompted a range of responses, some of them rather hysterical. One writer even claimed that it made Mail.app too dangerous to use.

I am happy to follow John Gruber’s lead (again). As he said last time:

“It boils down to this: you can’t safely double-click files from untrusted sources, and you never could. This is no different today on Mac OS X 10.4 than it was a decade ago on Mac OS 8 and 9.”

Puzzling that it’s back, yes. But dangerous? No more than usual.

UPDATE: “FatYank” provides a quick fix in the comments for those who are really worried about this:

The workaround for this is to rename Terminal. When you rename Terminal and double click on the JPG, you get a message stating that Preview cannot open the file.

Or, as Rob points out, you could use Quickview to view attachments first, in which these “fake” file show up as empty.

Thanks!

[Via The Register ]mail.app, apple mail, leopard mail, security, shell script, bug, apple, tiger mail, exploitSimilar Posts:

• Security flaw with scripts in Mail.app
• RCMail: Remotely control your Mac by email
• Fix for Leopard Mail’s broken new mail alert
• Scripts to automate the Mail.app Envelope speed trick
• Remotely control your Mac via AppleScript

He outlines the process for creating an account at Thawte and requesting a certificate and then installing it.

Further sections follow on the difference between a digitally signed and an encrypted message, and how to use them.

It’s interesting to compare Melvin’s take on secure email in Mail.app with Matt Haughey’s experience , which wasn’t so positive.

Melvin thinks it works well and is a good tool to have in your email armoury:

Other than the process of going though an external website for obtaining a certificate, Mail’s integration of signed and encrypted messages is seamless. It’s a great feature that is just hidden until needed. Making the user experience simple and clean. And there’s nothing like discovering a great new feature on an App you’ve been using for a long time now.

Joar Winfor has also produced a more detailed walkthrough for secure email in Mail.app, but more detail is not always good for everyone.thawte, certificate, X.509, digital signatures, encryption, secure email, security, mail.app, apple mailSimilar Posts:

• .Mac emails get more secure?
• The frustrations of encrypted mail in Mail.app
• Safari 2.0 and Thawte Certificates
• More on the .Mac/iChat certificate
• Chibi Ninja: Cross-platform encrypted messages

The update also brings some welcome improvements for Mac users.

Newsgroups are no longer “over-abbreviated” and HTML text cut from Firefox 1.5.0.5 now pastes into an email message properly.

You can read a fuller list of improvements and bugfixes on The Rumbling Edge, Mozilla’s Development blog.

Thunderbird 1.5.0.5 is available from the Mozilla web site .

[Thanks, Bronson]thunderbird, email, security, HTML, firefoxSimilar Posts:

• Thunderbird 1.5.0.4: Universal binary!
• Thunderbird 1.5.0.2 is out
• What Thunderbird 2.0 will bring
• Gmail shortcuts in Thunderbird and Fastmail
• Thunderbird: Portable, Intel Macs

Recently at my real work but not at home, Mail has been hanging for 30 seconds to a minute each time I tried to reply to an email. I would hit the Reply button and have time to make a cup of coffee in the kitchenette before the reply window appeared.

Luckily, the network administrator at the College, Tim Bell, has god-like tcpdump powers. He uncovered what was happening.

Each time I reply to a message, Mail attempts to contact an Apple server through port 80. That’s not a problem at home, but it is at work, where port 80 is blocked and a proxy redirects all HTTP traffic through another port. Mail didn’t respect my proxy settings. It carried on regardless with a process that eventually failed after lengthy delay.

Tim opened the port so that we could see what Mail was trying to do.

Mail was sending the following request based on my .Mac username to certinfo.mac.com (17.250.248.148):

GET /lookup?timgaden HTTP/1.1

In response, it was getting:

The third line in base64 decodes to G\x92\x06\x1777V\xd6W2 (where \x?? means the non-ascii character 92 (in hex), etc.) – so Tim tells me – and the fourth line to acceptance (with a trailing space).

Once we understood the problem, we could google for an answer. It turns out that Jonathan Wight experienced the same thing a year ago. He also provides a fix: delete the ~/Library/Preferences/com.apple.security.plist preferences file.

I’m not suggesting that anything nefarious or underhand is happening here, but it still puzzles me on three fronts.

First, what exactly is it checking and what is the undecipherable response? Is it checking my iChat certificate?

Secondly, why should Mail try to do this when I am replying to a message in my work account on my work server?

Thirdly, why is Mail so stupid? What design oversight makes it overlook my system-wide proxy settings and carry on banging away at port 80, giving me endless delays? Normally, Mail.app helps me to get things done, but not here.

UPDATE: MacGeekery has posted an interesting take on this, which is worth a read.

I hope I made it clear in my post above – although perhaps I didn’t – that I do not think Apple is stealing my credit card information or looking for cracked software or turning my computer into a drone for Apple press releases or doing anything else untoward.

I do think it is puzzling that my proxy settings were ignored and that Mail.app was thus unusable for up to a minute everytime I tried to reply to a message. I do think it is puzzling that the fix was so hard to find. I do think it is fair to expect better of Apple than this.

[Thanks for your help this afternoon, Tim. All my tcpdump are belong to you.]mail.app, apple mail, security, certificates, port 80, reply, hanging, spinning beachball of death, bug, proxySimilar Posts:

• Long delays with Mail.app replies
• Posting .Mac mail when Port 25 is blocked
• Emailing from Starbucks: What port 587 is for
• Three outgoing mail fixes for Mac users on the go
• Four things that Mail.app can’t do

He writes,

I thought you might like to know that there is a serious security flaw in the gpgmail plugin. I discovered the vulnerability a few weeks ago, though I’m not the first to do so.

The problem is that if gpgmail detects a valid signature for part of a message, it displays a notice to say that the message is signed, even if parts of it are not. As a result, it is possible for an attacker to add arbitrary data (extra text, attachments, etc) to a signed message and it will appear to the user that the whole message is signed.

There is more detailed discussion in the mailing list archives:

http://www.sente.ch/Lists/gpgmail-users/List.html

The username and password required to view the archives are “sente” and “sente”.

[Thanks, Nicholas]privacy, digital signatures, security, mail.app, apple mail, plugins, GPGMailSimilar Posts:

• Fix for “GPGMail unread messages” bug
• More security flaws in Mac OSX
• GPGMail 1.1.2
• Forward only selected attachments
• 10.4.6: Mail, GPGMail and MailStamps issues

Of course, it supports Mail.app, Safari and Firefox. It even supports Eudora and Mailsmith.

A new version released today adds Camino (excellent! ), Shiira and Opera to that list. Thunderbird is now also supported.

It can erase and/or overwrite (not just delete) the following: browser caches, Internet histories, email trash, download caches, your quicktime cache, favicons and cookies.

NetShred X is a universal binary. It’s shareware (USD 19.95) and a demo is available from the developer’s web site . privacy, email, mail.app, apple mail, thunderbird, camino, securitySimilar Posts:

• NetShred X: Email and Browsing Privacy
• Thunderbird 1.5.0.2 is out
• Onyx 1.6.6
• Distraction-free Gmail in Camino/Firefox
• Add a “Gmail this” bookmarklet to your web browser

It achieves this by using RSA type encryption in Javascript.

The site also offers a utility for producing the public and private keys needed for encryption.

I haven’t tested this but the results look like the real thing:

Read the Known Issues section to discover that it works best in Firefox 1.5 or greater and that some of the buttons are troublesome.gmail, encryption, greasemonkey, firefox, public public, private keys, email, securitySimilar Posts:

• Greasemonkey up your Gmail
• Gmail shortcuts in Thunderbird and Fastmail
• Add Daily Agenda to your Gmail
• Killer list of Google Calendar tips
• MailTags for Leopard: New Public Beta

They mostly involve the handling of images and decompression of zip files.

He expects that they will be addressed in the next Apple security update.

A St Louis Post-Dispatch article on the flaws urges caution , “Avoid opening strange or unusual e-mail attachments, and beware of Web links embedded in unsolicited Web correspondence.”

As many people pointed out during the excitement of the last round of security flaws, this has been pretty sensible advice since, like, forever.security, exploits, zip files, mac osx, images, attachments, mail.app, apple mail Similar Posts:

• Mac Attack Snack Pack
• Toggle image and attachment display in Mail.app
• Mail.app too dangerous to use?
• OMiC: A plugin to extract winmail.dat files
• Quickly saving attachments in Mail.app

Metrowest Daily News carries an interview with Michael Lamont, a software engineer who has attempted to play along with 419 Nigerian scam artists (“I am an official for Nigerian Oil. I have $140 million. Give me your bank account details and you can have 10%”).

Others have done this before (see the 419 Eater and 419 Baiter web sites), but I was interested to read the statistics about victims and the estimated total financial damage, and to learn that the Nigerian Government “blames Westerners’ greed for their losses”.

Another creative response to Phishing scams (deceptive hyperlinks in emails designed to trick you into revealing financial or personal information) is covered by C|Net News.

It has published an article about RSA Cyota, a company that fights phishing by flooding the scammers’ web sites with bogus user names and passwords so that legitimate information is harder to determine. A spokesperson for RSA Cyota explains:

The technique is called dilution: We generate a list of bogus credentials and feed the Web site with false usernames, passwords and credit card numbers. The fraudster may have obtained 30 genuine credentials out of 300–we are trying to make it less worthwhile and more risky for the fraudster.

Of course, Mail provides some protection against phishing attacks, so careful users can protect themselves.

Recent research on why phishing works (PDF ) , published by Harvard Postdoctoral Fellow Rachna Dhamija, suggests that the majority of users are not careful.mail.app, apple mail, spam, phishing, security, email, fraudSimilar Posts:

• Phishers learn new tricks
• Three Nigerians to scam no more
• Quickies
• SpamSieve 2.4.2
• Nine reasons not to worry about Gmail

It’s not enough to be (extra) careful about opening attachments in emails that you are unsure about. More drastic action is required:

If you are using Apple’s Mail, I’d consider switching to another mail program, at least temporarily. The problem with Mail is that it allows you to open a file with a single click, and there’s no warning from the application to give you a second chance to cancel that action. Neither Thunderbird nor Microsoft Entourage allow for this, so you might want to think about switching until Apple fixes that.

Oddly, later in the article he suggests: “Just take the common-sense steps that we all should be taking anyway, and you’ll be fine.”Mac osx, security, vulnerability, mail.app, apple mail, thunderbird, entourage, attachments, scripts Similar Posts:

• Security flaw with scripts in Mail.app
• More security flaws in Mac OSX
• Thunderbird 1.5.0.2 is out
• Exchange Server 2007, Mail.app and Safari
• Thunderbird 1.5.0.4: Universal binary!