DealsOnTheWeb Daily Deal: OneCall's Weekend Sale - 20 Great Items at Great Prices All Weekend Long
Leopard Mail May Include Tiger Security Flaw
by , 9:40 AM EST, November 21st, 2007
Heise Security says Apple's Mail application in Mac OS X 10.5 may include a security flaw that the company previously patched in Mac OS X 10.4. The flaw could allow an attacker to trick Mail users into running an application by disguising it as a JPEG email attachment.
Apple patched the flaw in Tiger's Mail application in March 2006, but somehow it seems the same security hole was reintroduced when Leopard shipped at the end of October.
The security company has developed a demonstration showing the flaw. The demonstration emails a harmless attachment that launches the Terminal application and displays the contents of the current directory.
This potential security flaw appears to impact Leopard users only. Tiger users with current updates installed are not impacted.
Observer Comments
Wed Nov 21, 2007 8:09 pm Subject: Didn't work for me
I did their demo and it didn't do what they said it would... so I don't know about their vulnerability. (I did look at the code on a different machine before executing the potential virus.. it was as they say, a simple and harmless shell script.) It will be interesting to see what others say about this.
This totally worked for me. You go to their web site and enter your email address and they mail you. Clicking once on the ".jpg" attachment brings up the Terminal and runs a script, which does an 'ls' and prints a message basically saying you are owned.
The second time I clicked on the ".jpg", it didn't work and the correct warning dialog came up. It turns out it only works once each time Mail is started.
The script doesn't get root or admin privileges if you are running as a normal user. But if it contained "rm -rf ~/*" you would basically be screwed. It could also modify your ~/Library to get a bot to run in the background when you are logged in, I think. Apple absolutely has to fix this, despite what any fanboys say.
Recent Headlines - Updated Friday, July 18th, 2008
- Fri., 4:30 PM
- iPO Apple Store Spotlight - Bloomberg LP - Financial Information on Your iPhone
- 2:50 PM
- iPO Just a Thought - Seven Days (and Counting) Trying to Get an iPhone
- 2:15 PM
- AAPL Drops 3% in Afternoon Trading, Deferred Revenue Accounting Earning Attention
- 12:05 PM
- iPO Review - Jensen JiMS-525i
- 11:05 AM
- Apple in Art
- 10:40 AM
- iPO Free on iTunes - AtomTV, Black In America, Strange Days on Planet Earth, & More
- 9:15 AM
- TMO's DealsOnTheWeb.com - JBL On Stage II Speaker System w/RF Remote Control: $67.99 Delivered
- 8:20 AM
- StrangeCharm - Particle Debris and a New iPhone (2G)
- 7:30 AM
- TMO Quick Tip - Build Your Own Twitter Client
The Mac Observer Reader Specials
- Download Typestyler, still the Ultimate Styling Tool for Internet, Print and Video Graphics. Works great in Classic with a Native OS X Version on the way. Free Tryout: www.typestyler.com
- OWC: NewerTech miniStack FireWire/USB 2.0 HD & Hub Up to 1.0TB of Performance Storage + FW/USB2 Powered Hubs - convenient & sleek 6.5" x 6.5" x 1.5" Featured: 500GB $169.99; 750GB $209.99; 1.0TB $339.99
New iMac 800Mhz Memory 4GB $98, 2GB $50. Click to Maximize your Macs...
Mac observers can now play Party Poker for Mac as well as Mac casino games by going to MacPokerOnline.com.
RamJet Memory: MacBook 1Gig $39, 2Gig $78, 4Gig $195! Mac Pro 2Gig $115, 4Gig $189! 500G Seagate SATA II $139! Click hereFor the latest Apple products use Ciao a comparison website to find laptops like MacBook Air. Then find the best prices on MP3 players and use our comparison tool to evaluate cell phones.
Laptop Hardware Provided by TechRestore - Overnight Mac & iPod Repairs.

