Mac quarantine bug returns in Leopard

Stephen Withers
Thursday, 22 November 2007 05:20

Your IT - Home IT

Mac OS X includes a mechanism that's supposed to warn users before they execute files downloaded from the Internet, but the reappearance in Mac OS X 10.5 Leopard leaves systems vulnerable to Trojan attachments received in Mail.

The issue was fixed by Security Update 2006-001 for Mac OS X 10.4 ("Download Validation fails to warn about unsafe file types"), but somehow made its way back into the latest version of Apple's operating system.

The problem was identified by Heise Security, which explains how a supposedly safe filetype such as a JPEG image can be doctored to contain a  a shell script or other executable plus a resource fork that tells the Mac which application should be used to open it.

Heise has prepared a proof of concept for the vulnerability. The attachment appears to be a JPEG file, but attempting to open it launches the Terminal utility instead of displaying an image in Preview or whichever application the user has designated for JPEGs. While Heise's example purports to be harmless, it would be a simple matter to deliver a shell script that deletes all of the files in the recipient's home folder. The ability to deliver and run an executable file in this manner represents a real threat to the unwary.

According to security vendor Intego, clicking an attachment in Mail for the first time bypasses the quarantine alert, but a subsequent attempt triggers the warning. More worryingly, if the same attachment arrives in later emails, it will be opened without warning.

Until Apple releases a patch, users should be especially careful about opening attachments, or use an anti-virus program capable of detecting such exploits.