Wednesday, November 21, 2007

Apple Mail in Leopard with the Same Old Error

Via Heise Security -

In March 2006 Apple defused a security problem in Apple Mail that made it possible to inject disguised malignant code. In Leopard, the patch was apparently forgotten. This means that you can inadvertently start an executable by double-clicking a mail attachment that looks like a JPEG image file.

Files on a Mac can contain additional information, such as the one that another program should be used to open them. The operating system stores these in the file system in a so-called "resource fork", which is linked to the file. This type of information is usually limited to the local system; however, for emails the MIME format AppleDouble allows resource forks to be attached -- these are automatically analyzed by Apple Mail.

This allows an attacker to create an email with an attachment called picture.jpg that is displayed with a JPEG icon. But when the user tries to open the picture, Apple Mail analyses the resource fork and executes a shell script, for example, without further warning. In this case, even the MIME type displays the attachment as image/jpeg, but careful Mac users may become suspicious when they see that the picture is not immediately displayed as usual. You can use the heise Security Emailcheck to have a harmless e-mail sent to you that demonstrates the problem.

In March 2006 Apple corrected this problem. On a current installation of the Tiger OS, Apple Mail issues a warning that the supposed image file is a program and is to be opened with Terminal. Apple apparently either did not incorporate this update into Leopard, or did not do it correctly. In tests performed by heise Security, the Terminal window opened directly in most cases when the attachment to the Emailcheck test email was opened. In only one email this occurred the first time the attachment was opened, but subsequent double-clicks suddenly caused the expected confirmation dialogue to be displayed. The test emails are identical except for the subject line and some administrative information in the header.

No comments:

Post a Comment