E-mail flaw comes back from the dead in Leopard

A serious security flaw in Apple Mail, patched more than a year ago in "Tiger," also known as Mac OS X 10.4, has reared its head again in the latest version of the operating system, according to Heise Security.

Heise discovered that the flaw, which could allow attackers to disguise malicious file attachments, was left open in last month's release of Mac OS X 10.5, "Leopard." The flaw was originally patched in March 2006.

Leopard has been criticized on several fronts since its release, notably for incomplete security measures, problems with some laptop keyboards, a mysterious "blue screen of death," and incompatibility with some older applications.

Leopard arrived two and a half years after Tiger, following a delay as Apple engineers devoted themselves to the iPhone.

The original Mail flaw was caused by limitations in the Download Validation feature used to warn users whether the file type is "safe." Researchers found that the feature could be evaded by attaching a resource fork to a seemingly "safe" file such as a JPEG image. A resource fork contains information such as which program should be associated with the file.

Using this technique, an image attachment would seem harmless, but when launched by the user could, for instance, execute a shell script with no further user interaction.

In 2006 Apple updated Download Validation to examine resource forks, closing the hole.

Heise researchers found that in Leopard, Mail appears to be once again unable to detect resource fork information.

"In tests performed by Heise Security, the Terminal window opened directly in most cases when the attachment to the email check test email was opened," Heise said in a report on Tuesday.

The tests were not consistent, with some attachments triggering the warning dialogue, Heise said.

Heise has developed a test e-mail mechanism, which can be found on its Web site.

Techworld is an InfoWorld affiliate.