Leopard quarantine bug allows users to launch malicious attachments in Mail
TweetFollow Us on Twitter

Leopard quarantine bug allows users to launch malicious attachments in Mail

"Mac OS X 10.5, Leopard, provides a 'quarantine' system that alerts users when they attempt to open applications that arrived via Mail, Safari or iChat, or that came in disk images via these programs. It also alerts users the first time they launch any other application they have installed or manually added to their Applications folder. This system should inform users of all cases when such executable files are being opened, but a bug in the quarantine system, discovered by Heise Security on November 20, 2007, can allow users to launch attachments, which may be malicious, from
Mail.

"The principle behind this system is Leopard's LaunchServices database, which records all applications or executable files that are added to a user's Mac. However, when some executable attachments arrive by e-mail, this protection does not operate correctly. The current proof-of-concept example is a shell script in a file with a .jpg extension. The file also contains such information as a resource fork, telling which application should open it (in this case, Terminal). The file also has appropriate executable permissions.

"Within Mail, this file shows as an attachment with a JPEG icon showing that Preview will open it. But attempting to view the file with Quick Look shows that it is not an image file. A user receiving this file might be tempted to click it to see what it contains. While this proof of concept merely displays some text in a Terminal window, it would be simple to create a similar file with a single command that, when executed in Terminal, would delete all of the user's files.

"When a user clicks on an attachment to an e-mail message in Mail, the program stores a copy of the attachment in the user's Library/Mail Downloads folder. This folder allows the Finder to then open the attachment. When malicious attachments arrive in Mail containing a script and a resource fork (its usro resource tells the Finder to open the file with a specific application), a user can open these attachments once without Mac OS X displaying the quarantine alert. When a user opens the attachment at a later time, this alert displays, saying that the attachment may be an application, and informing the user that it will be opened by Terminal.

"The bug causing this has to do with the way Leopard manages quarantines. The first time a user opens an attachment, Mail opens the file directly without passing through the quarantine system. Subsequent openings of the same attachment cause Mail to no longer open the attachment directly, but rather open the file it has saved in the Mail Downloads folder.

"If a user receives a second message with the same attachment, the situation is worse: they will receive no alert at all. Since the attachment has been saved to the Mail Downloads folder, but from a different message, Mail does not attempt to open the original attachment, but makes a copy of it (named: (attachment name)-1, (attachment name)-2, etc.), and opens this attachment
with no warning.

"Until this bug is corrected in Mac OS X 10.5, Mac users are at risk of receiving maliciously crafted files, pretending to be image files, which could delete all of a user's files, or may contain Trojan horses. It is important that users do not open attachments from unknown senders, especially those that come with spam messages."

 
AAPL
$493.17
Apple Inc.
+0.00
GOOG
$611.46
Google Inc.
+0.00
MSFT
$30.77
Microsoft Corpora
+0.00
MacNews Search:
Community Search:
See All

Decide Where To Eat With Hngry
On Twitter, it’s a dilemma that would be referred to as a ‘first world problem’ but it is sometimes difficult to decide which restaurant to go to for a meal. So many choices are out there and when it’s a decision that has to be made between many friends, things can get tricky. Enter Hngry, an app that may lack an ‘u’ but certainly doesn’t lack... | Read more »
Writing Kit Review
Writing Kit Review By Carter Dotson on February 10th, 2012 Our Rating: :: VALUABLE TOOLUniversal App - Designed for iPhone and iPad Writing Kit is a text editor that focuses on writing and editing text in markdown format.   | Read more »
Ragdoll Blaster 3 Review
Ragdoll Blaster 3 Review By Carter Dotson on February 9th, 2012 Our Rating: :: A BLASTiPhone App - Designed for the iPhone, compatible with the iPad Ragdoll Blaster 3 is the newest, most colorful entry in the Ragdoll Blaster franchise from Backflip Studios.   | Read more »
Call of Cthulhu: The Wasted Land Review
Call of Cthulhu: The Wasted Land Review By Rob Thomas on February 9th, 2012 Our Rating: :: ANSWER THE CALLUniversal App - Designed for iPhone and iPad Battle foul cultists and star-spawned evils amid the gas-soaked trenches of World War I in this turn-based strategy game, courtesy of Red Wasp Design.   | Read more »
Tweetbot for iPad Review
Tweetbot for iPad Review By Carter Dotson on February 9th, 2012 Our Rating: :: WELL-BUILT MACHINEiPad Only App - Designed for the iPad Tweetbot for iPad is a Twitter client, created by design-conscious iOS developer Tapbots.   | Read more »
Tic Tac Viewr is a Minty Fresh Augmented...
Smartphones are changing how we see the world. With the cameras on them becoming more and more powerful, phones are now able to see our reality and present it back to us in an augmented form. It may ultimately just be an advertisement for their “Shake it Up” campaign, but Tic Tac mints’ new Tic Tic Viewr app still shows off how novel augmented... | Read more »
Huntville Review
Huntville Review By Kevin Stout on February 9th, 2012 Our Rating: :: GREAT MULTIPLAYERiPad Only App - Designed for the iPad While Huntville may not be the most enjoyable game, it has some awesome features that can’t be overlooked.   | Read more »
The 60beat GamePad Adds Support for More...
One of the concerns with 60beat’s GamePad has been whether the device would see enough support from developers to make it worthwhile. As promised by 60beat back when it was announced, February has rolled around and some titles are beginning to support the 60beat. | Read more »
Unstoppable Gorg Review
Unstoppable Gorg Review By Kevin Stout on February 9th, 2012 Our Rating: :: UNFORGETTABLEiPad Only App - Designed for the iPad Unstoppable Gorg is an unforgettable tower defense for the iPad with a 50s sci-fi theme and some incredibly unique gameplay elements.   | Read more »
Pirates of Black Cove: Sink ‘Em All Will...
Nitro Games have announced an iOS spinoff of their pirate-themed PC game Pirates of Black Cove, Sink ‘Em All – and they have an entertaining trailer to go along with it. This will take the ship combat gameplay of the PC version and make it the featured element, essentially a naval isometric shooter with cannons to fire, and booty to plunder. Well... | Read more »
See All
All contents are Copyright 1984-2010 by Xplain Corporation. All rights reserved. Theme designed by Icreon.