The Mac Observer

Skip navigational links

Choose text size: Select small text. Select medium text. Select large text.

You're viewing an article in TMO's historic archive vault. Here, we've preserved the comments and how the site looked along with the article. Use this link to view the article on our current site:
Leopard Mail May Include Tiger Security Flaw

Leopard Mail May Include Tiger Security Flaw

by , 9:40 AM EST, November 21st, 2007

Heise Security says Apple's Mail application in Mac OS X 10.5 may include a security flaw that the company previously patched in Mac OS X 10.4. The flaw could allow an attacker to trick Mail users into running an application by disguising it as a JPEG email attachment.

Apple patched the flaw in Tiger's Mail application in March 2006, but somehow it seems the same security hole was reintroduced when Leopard shipped at the end of October.

The security company has developed a demonstration showing the flaw. The demonstration emails a harmless attachment that launches the Terminal application and displays the contents of the current directory.

This potential security flaw appears to impact Leopard users only. Tiger users with current updates installed are not impacted.

Observer Comments

Show: Subjects Only | Full Comments
Close Name:Guest
Wed Nov 21, 2007 12:11 pm Subject: Eh?

I use Gmail - GMail (Google) filters virii (viruses) and any other malware from my incoming email. There is spam reporting/moving feature as well. And GMail works well on Safari!

So this does not bother me.

But I would like to point out that this will bother those who use the Mail app exclusively. How much of a bother is up to the user. From a bit to a lot...

In that case, I am concerned about the luckless users.

Guest, now celebrating his 1,234th post...


 Reply | Quote
Close Name:brett_x Posts: 322 Joined: 24 Jan 2006
Wed Nov 21, 2007 8:09 pm Subject: Didn't work for me

I did their demo and it didn't do what they said it would... so I don't know about their vulnerability. (I did look at the code on a different machine before executing the potential virus.. it was as they say, a simple and harmless shell script.) It will be interesting to see what others say about this.


 Reply | Quote
Close Name:Steve Ballmer Guest
Wed Nov 21, 2007 9:29 pm Subject: I though Leopold had no flaws?

[pointless trolling/spamming deleted]


 Reply | Quote
Close Name:noworryz Posts: 7 Joined: 15 Nov 2007
Sat Nov 24, 2007 3:52 pm Subject: Totally works

This totally worked for me. You go to their web site and enter your email address and they mail you. Clicking once on the ".jpg" attachment brings up the Terminal and runs a script, which does an 'ls' and prints a message basically saying you are owned.

The second time I clicked on the ".jpg", it didn't work and the correct warning dialog came up. It turns out it only works once each time Mail is started.

The script doesn't get root or admin privileges if you are running as a normal user. But if it contained "rm -rf ~/*" you would basically be screwed. It could also modify your ~/Library to get a bot to run in the background when you are logged in, I think. Apple absolutely has to fix this, despite what any fanboys say.


 Reply | Quote
Close Name:Guest
Mon Nov 26, 2007 10:09 pm Subject: Not a flaw in Mail

This isn't a flaw in Mail and everyone knows it. It's a flaw in the way the system chooses icons for display. The system is smart enough (?) to read the RSRC to run the trojan but not smart enough to get the icon from there? How come other third party utilities are smart enough? It's not Mail it's the entire Apple system and Apple never fixed this but hey - you hold your breath JG and they'll fix it right soon now.


 Reply | Quote
Comment on this Article


Guest Posts Visible. Hide Them.
Back to top  Page 1 of 1    

You cannot edit your comments.   You cannot delete your comments.

Comments are currently closed. Please email the author instead.


Recent Headlines - Updated November 8th

Sun, 11:59 AM
Mac Geek Gab Podcast - MGG 226: Magic Mouse, Apple Battery Secrets, Q&A
Sat, 7:58 PM
News - Apple TV 3.0.1 Update Fixes Missing Content Bug
Fri, 7:45 PM
Rumor - Taiwan Leak Shows Verizon UTMS/CDMA iPhone for Q3 2010
6:40 PM
News - iPhone Moves Into RadioShack
6:30 PM
News - Apple to Open Stunning Paris Apple Store in Le Louvre on Saturday
5:43 PM
Free on iTunes - Dictionary, Dictionary, Dictionary, And More
4:09 PM
John Martellaro's Blog - Particle Debris (week ending 11/6) Failure IS an Option
3:32 PM
Games - The Latest App Store Games: Gravity Sling, RocketBird, Ground Effect, Checkers!
2:25 PM
Games - Star Soccer 2010 for Mac Puts Gamers in Role of Up-and-Coming Player
2:15 PM
How-To - The Mysteries of Rosetta Housekeeping
1:33 PM
News - iPhone Game Developer Sued for Collecting User’s Cell Numbers
1:17 PM
Games - Warhammer Online Expands Trial Play Option

The Mac Observer Reader Specials

  • TypeStyler For Mac OS X is Now Shipping! Download The Free Fully Functional 60 Day Tryout at www.typestyler.com
  • RamJet Memory: Mac Pro 8-core 8GB Kit $199.99, 4GB Kits $109.99! Sale on MacBook and MacBook Pro 8GB kits $549.99! New MacBook DDR3 2GB for $49.99. iMac and Mac mini 4GB Kits for $79.99! 1TB SATA Hard Drives for $109.99! Click here
  • OWC: Mercury On-The-Go FW800+USB2 up to 1.0TB. Bus Powered, no external power supply needed. Macworld ‘Editor’s Choice’, CNET ‘Very Good’ Starting from $99.97, 500GB $159.99. Click here
  • Poker Mac If you're using a Mac, then you've gotta check out Full Tilt Poker for Mac. This Full Tilt Poker bonus code does the unthinkable, it actually rewards!

  • For the latest Apple products use Ciao, a price comparison website, to find laptops like MacBook Air. Then find the best prices on MP3 players and use our comparison tool to evaluate mobile phones like the Apple iPhone.

  • Laptop Hardware Provided by TechRestore - Overnight Mac & iPod Repairs.
  • __________
  • Buy Stuff, Support TMO!
  • Podcast: Mac Geek Gab
  • Podcast: Apple Weekly Report
  • TMO on Twitter!