“In addition to attacks via the Safari web browser, Apple Mail also executes scripts without asking in certain circumstances,” heise online reports. “It suffices to disguise a script with the ending “jpg” and assign the Terminal application for opening it. If this script is then sent in the AppleDouble format as an attachment, the information is passed along so that the recipient’s system also opens it with the Terminal. Apple Mail displays the attachment with a JPG file symbol, but when users click on it, the script executes within Terminal without further prompting. This has been tested on Apple Mail 2 and Mac OS X 10.4. Older versions display a warning.”
“You can use heise Security’s Emailcheck to have a harmless e-mail sent to you that demonstrates the problem… A protective measure is to move the Terminal application from /Applications/Utilities into a different folder. But the best idea is not to open any files if you don’t know where they came from,” heise online reports.
Full article here.
MacDailyNews Note: Be careful out there. For now, move your Terminal application from /Applications/Utilities into a different folder until Apple appropriately addresses the issue. As usual, only accept and open files from vendors and Web sites that you know and trust.
• MacBook Pro. The first Mac notebook built upon Intel Core Duo with iLife ’06, Front Row and built-in iSight. Starting at $1999. Free shipping.
• iMac. Twice as amazing — Intel Core Duo, iLife ’06, Front Row media experience, Apple Remote, built-in iSight. Starting at $1299. Free shipping.
• iMac and MacBook Pro owners: Apple USB Modem. Easily connect to the Internet using dial-up service. Only $49.
• iPod Radio Remote. Listen to FM radio on your iPod and control everything with a convenient wired remote. Just $49.
• iPod. 15,000 songs. 25,000 photos. 150 hours of video. The new iPod. 30GB and 60GB models start at just $299. Free shipping.
• Connect iPod to your television set with the iPod AV Cable. Just $19.
Report: Apple developing fix for automatic execution of shell scripts – February 21, 2006
Safari web browser auto executes shell scripts; disable ‘Open ‘safe’ files after downloading’ option – February 21, 2006