Apple Mail Security Flaw Reborn in Leopard

Fixed in Tiger in 2006, the flaw finds its way back into the newest Apple OS, according to a security firm.

A security problem in Apple Mail that got fixed in March 2006 has popped up again in Leopard, according to Heise Security.

In a Nov. 20 posting, the security firm said that it had found that users can inadvertently start a potentially malicious executable by double-clicking an e-mail attachment injected with disguised code that looks like a JPEG.

The vulnerability has to do with the way in which Mac operating systems store file information, such as which program can be used to open a given file. Such additional file information, which is structured data, is stored in resource forks linked to the file, alongside unstructured data thats stored in data forks.

Apple Mail automatically analyzes resource forks that are attached through the MIME format AppleDouble—a file format Apple developed to store these dual-forked (dual, as in having both resource and data forks) files on the Unix file system used in Apples first Unix-like operating system.


Read more here about patches Apple has issued for Leopard.

According to Heise, an attacker can craft an e-mail attachment called, for example, picture.jpg that is displayed with a JPEG icon. When the user tries to open the picture, Apple Mail analyzes the resource fork and does something unexpected, such as execute a shell script without warning.

Apple fixed the bug in March 2006. With the fix, Apples Tiger operating system warns users if a purported image file is in fact a program and needs to be opened with Terminal, a terminal emulator in Mac OS X that presents the user with a command line interface.

That fix somehow slipped through the cracks, not making it into Leopard or not getting implemented correctly, Heise said.

In Heises tests, the Terminal window opened directly in most cases when an attachment was opened. But in one instance, the Terminal window opened initially but not on subsequent double-clicks on the attachment. The test e-mails Heise used were identical except for the subject line and some administrative information in the header.

Apple did not reply to questions regarding the mail bug. An automated reply from an Apple spokesman said that the company is closed down for the week in observance of the Thanksgiving holiday.

Check out eWEEK.coms Security Center for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEKs Security Watch blog.