Apple Mail Security Flaw Reborn in Leopard

By Lisa Vaas  |  Posted 2007-11-20 Print this article Print

Fixed in Tiger in 2006, the flaw finds its way back into the newest Apple OS, according to a security firm.

A security problem in Apple Mail that got fixed in March 2006 has popped up again in Leopard, according to Heise Security. In a Nov. 20 posting, the security firm said that it had found that users can inadvertently start a potentially malicious executable by double-clicking an e-mail attachment injected with disguised code that looks like a JPEG. The vulnerability has to do with the way in which Mac operating systems store file information, such as which program can be used to open a given file. Such additional file information, which is structured data, is stored in resource forks linked to the file, alongside unstructured data thats stored in data forks.
Apple Mail automatically analyzes resource forks that are attached through the MIME format AppleDouble—a file format Apple developed to store these dual-forked (dual, as in having both resource and data forks) files on the Unix file system used in Apples first Unix-like operating system.
Read more here about patches Apple has issued for Leopard. According to Heise, an attacker can craft an e-mail attachment called, for example, picture.jpg that is displayed with a JPEG icon. When the user tries to open the picture, Apple Mail analyzes the resource fork and does something unexpected, such as execute a shell script without warning. Apple fixed the bug in March 2006. With the fix, Apples Tiger operating system warns users if a purported image file is in fact a program and needs to be opened with Terminal, a terminal emulator in Mac OS X that presents the user with a command line interface. That fix somehow slipped through the cracks, not making it into Leopard or not getting implemented correctly, Heise said. In Heises tests, the Terminal window opened directly in most cases when an attachment was opened. But in one instance, the Terminal window opened initially but not on subsequent double-clicks on the attachment. The test e-mails Heise used were identical except for the subject line and some administrative information in the header. Apple did not reply to questions regarding the mail bug. An automated reply from an Apple spokesman said that the company is closed down for the week in observance of the Thanksgiving holiday. Check out eWEEK.coms Security Center for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEKs Security Watch blog.
Lisa Vaas is News Editor/Operations for and also serves as editor of the Database topic center. Since 1995, she has also been a Webcast news show anchorperson and a reporter covering the IT industry. She has focused on customer relationship management technology, IT salaries and careers, effects of the H1-B visa on the technology workforce, wireless technology, security, and, most recently, databases and the technologies that touch upon them. Her articles have appeared in eWEEK's print edition, on, and in the startup IT magazine PC Connection. Prior to becoming a journalist, Vaas experienced an array of eye-opening careers, including driving a cab in Boston, photographing cranky babies in shopping malls, selling cameras, typography and computer training. She stopped a hair short of finishing an M.A. in English at the University of Massachusetts in Boston. She earned a B.S. in Communications from Emerson College. She runs two open-mic reading series in Boston and currently keeps bees in her home in Mashpee, Mass.

Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel