Oh, it’s the old one step forward, two steps back routine (wait, isn’t that a waltz?). German firm Heise Security is reporting this morning that a flaw in Apple’s Mail.app which was patched in Tiger is apparently wide open again in Leopard.
The vulnerability involves using a maliciously crafted JPG attachment. If you open the attachment, it can be used to invoke arbitrary code execution. Heise even has a demo available; you can sign up to get an email and see if you’re vulnerable (the demo just opens a Terminal window and displays the contents). I’ve confirmed that it works, and it gave me one of those nasty little chills.
Of course, you’re only at risk if you regularly open mysterious attachments from people you don’t know; I’d hope we all know by now that that’s kind of like opening your door to a stranger offering you candy. It’s weird that this was patched in Tiger but not in Leopard, but perhaps they branched Mail development for Leopard before the patch came out? Either way, I’d expect to see this fixed in the near future.
[via The Mac Observer]
When I received my email and clicked on it, I got a message from the system saying "Heise.jpg may contain an application, would you still like to open it?" Now by this time Terminal was launched, but hadn't done anything. Clicking cancel closed the terminal.
So I guess this is a half-ass patch. If you click on a jpg and terminal launches, click cancel.
What if you use QuickLook?