Leopard Mail Vulnerable to Bogus Email Attachments

Heise Security reports how Leopard Mail is vulnerable to email attachments masquerading as the wrong type. For example, a shell script named “Foo.jpg”, but which has a resource fork item assigning the file to Terminal, will be displayed by Leopard Mail as a JPEG image, but will open and execute in Terminal — without any warning or prompt — if you double-click it from Mail. Oddly, you do get a warning on subsequent attempts to open the attachment within Mail — it only executes in Terminal without warning the first time. Even worse, this same vulnerability was closed by Apple before, in Tiger, but has returned in Leopard.

Monday, 26 November 2007

Ads via The Deck Ads via The Deck