Heise Security reports how Leopard Mail is vulnerable to email attachments masquerading as the wrong type. For example, a shell script named “Foo.jpg”, but which has a resource fork item assigning the file to Terminal, will be displayed by Leopard Mail as a JPEG image, but will open and execute in Terminal — without any warning or prompt — if you double-click it from Mail. Oddly, you do get a warning on subsequent attempts to open the attachment within Mail — it only executes in Terminal without warning the first time. Even worse, this same vulnerability was closed by Apple before, in Tiger, but has returned in Leopard.
★ Monday, 26 November 2007