Apple Mail Bug Rises From The Dead To Menace Leopard Users

The security flaw could create an e-mail attachment that executes malicious code when clicked on.

Thomas Claburn, Editor at Large, Enterprise Mobility

November 20, 2007

1 Min Read
InformationWeek logo in a gray background | InformationWeek

A security flaw in Apple Mail that was fixed last year has returned from the grave to haunt those using the e-mail app in conjunction with the latest version of Apple's operating system, Mac OS X 10.5, otherwise known as Leopard.

An attacker exploiting the security flaw could create an e-mail attachment that appears to be, for example, a JPEG image file, but executes malicious code when it is clicked on, without the warning dialogue that should be present.

"In March 2006, Apple corrected this problem," says Heise Security on its Web site. "On a current installation of the Tiger OS, Apple Mail issues a warning that the supposed image file is a program and is to be opened with Terminal. Apple apparently either did not incorporate this update into Leopard, or did not do it correctly."

Apple's Security Update 2006-001 fixed the flaw. "In Mac OS X v10.4 Tiger, when an e-mail attachment is double-clicked in Mail, Download Validation is used to warn the user if the file type is not 'safe,' " Apple's Security Update explains. "Certain techniques can be used to disguise the file's type so that Download Validation is bypassed. This update addresses the issue by presenting Download Validation with the entire file, providing more information for Download Validation to detect unknown or unsafe file types in attachments."

An Apple spokesperson could not be reached because Apple is closed this week for Thanksgiving.

Last week, Apple released security updates for the most recent versions of its Mac OS X operating system, Panther, Tiger, and Leopard.

About the Author

Thomas Claburn

Editor at Large, Enterprise Mobility

Thomas Claburn has been writing about business and technology since 1996, for publications such as New Architect, PC Computing, InformationWeek, Salon, Wired, and Ziff Davis Smart Business. Before that, he worked in film and television, having earned a not particularly useful master's degree in film production. He wrote the original treatment for 3DO's Killing Time, a short story that appeared in On Spec, and the screenplay for an independent film called The Hanged Man, which he would later direct. He's the author of a science fiction novel, Reflecting Fires, and a sadly neglected blog, Lot 49. His iPhone game, Blocfall, is available through the iTunes App Store. His wife is a talented jazz singer; he does not sing, which is for the best.

Never Miss a Beat: Get a snapshot of the issues affecting the IT industry straight to your inbox.

You May Also Like


More Insights