The problem was identified recently by UK based Heise Security, which says it’s identical to a security flaw that first came to light in Tiger Mail back in March, 2006.
Leopard OS X 10.5 has the same security flaw that Apple originally patched in Tiger.
Apple Mail vulnerability users will experience limitations in the Download Validation feature that warns users whether the file type is “safe.” Researchers found that the feature could be evaded by attaching a resource fork to a seemingly “safe” file such as a JPEG image. A resource fork contains critical information such as which program should be associated with the attached file.
Using this technique, an image attachment would seem harmless, but when launched by the user could, for example, execute a shell script with no further user interaction.
Heise researchers found that in Leopard, Mail appears to be once again unable to detect resource fork information. “In tests performed by Heise Security, the Terminal window opened directly in most cases when the attachment to the email check test email was opened,” Heise said.
According to security vendor Intego, clicking an attachment in Mail for the first time bypasses the quarantine alert, but a subsequent attempt triggers the warning. More worryingly, if the same attachment arrives in later emails, it will be opened without warning.
Until the security flaw is fixed in Mac OS X 10.5, Mac users are at risk of receiving maliciously crafted files, pretending to be image files, which could delete all of a user’s OS files, or may contain Trojan horses.