Warning: Like Safari, Apple’s Mail also auto executes shell scripts

“In addition to attacks via the Safari web browser, Apple Mail also executes scripts without asking in certain circumstances,” heise online reports. “It suffices to disguise a script with the ending “jpg” and assign the Terminal application for opening it. If this script is then sent in the AppleDouble format as an attachment, the information is passed along so that the recipient’s system also opens it with the Terminal. Apple Mail displays the attachment with a JPG file symbol, but when users click on it, the script executes within Terminal without further prompting. This has been tested on Apple Mail 2 and Mac OS X 10.4. Older versions display a warning.”

“You can use heise Security’s Emailcheck to have a harmless e-mail sent to you that demonstrates the problem… A protective measure is to move the Terminal application from /Applications/Utilities into a different folder. But the best idea is not to open any files if you don’t know where they came from,” heise online reports.

Full article here.

MacDailyNews Note: Be careful out there. For now, move your Terminal application from /Applications/Utilities into a different folder until Apple appropriately addresses the issue. As usual, only accept and open files from vendors and Web sites that you know and trust.

Advertisements:
MacBook Pro. The first Mac notebook built upon Intel Core Duo with iLife ’06, Front Row and built-in iSight. Starting at $1999. Free shipping.
iMac. Twice as amazing — Intel Core Duo, iLife ’06, Front Row media experience, Apple Remote, built-in iSight. Starting at $1299. Free shipping.
iMac and MacBook Pro owners: Apple USB Modem. Easily connect to the Internet using dial-up service. Only $49.
iPod Radio Remote. Listen to FM radio on your iPod and control everything with a convenient wired remote. Just $49.
iPod. 15,000 songs. 25,000 photos. 150 hours of video. The new iPod. 30GB and 60GB models start at just $299. Free shipping.
Connect iPod to your television set with the iPod AV Cable. Just $19.

Related articles:
Report: Apple developing fix for automatic execution of shell scripts – February 21, 2006
Safari web browser auto executes shell scripts; disable ‘Open ‘safe’ files after downloading’ option – February 21, 2006

25 Comments

  1. I look forward to the day when these resource forks no longer exist. The cause all sorts of issues like this. it also makes it harder to exchange files with other platforms and breaks some utilities like rsync. Rsync kind of supports resource forks, but only halfway.

  2. Frigging Apple!!

    I know it’s blasphamy, but actually I’m quite pleased Apple is getting all this bad press lately.

    They are soft, they have become pompus and their staff is acting like they are gods.

    Pride comes before a fall and Apple is headed right for the cliff of death.

    Of course this could all be a proganda stunt to get us to accept Trusted Computing’s strict control over our hardware and security companies are falling right for it.

  3. The Problem has nothing whatsoever to do with the resource fork. The “shebang” mechanism is a workaround from the resource-less Unix world which seeks to emulate the resource-based creator/owner mechanism of the older MacOS.

    The Problem right here appears to be that the Finder still first looks at the “shebang” BEFORE using its own file type associations. The reverse would be proper (and the Finder should still give a warning before launching unknown scripts).

  4. Actually one can do even more, take the darn Terminal.app and change it’s extension to Terminal.zzzapp, using Get Info.

    Then place the damm thing in a folder and turn it’s permssions completely “No Access”

    Then move the folder into your System folder, you’ll need to authenticate.

    optional: Then go change your password to something incredibly long and complicated, more than 20 characters, preferable over 40. That’s right 40.

    Because “hash’s” can be run through a program like John The Ripper if your password is too weak.

    http://www.openwall.com/john/

    So if a pasword is incredibly long, it takes a incredily long time to crack the hash’s.

    Learn more sneaky stuff by visiting MacHacking.com

  5. wait… I tried send my friend an apple script as a joke.. changed the icon..and changed the extension to .jpg.. and Mail still labeled it as an application… I thought this could not be done….

  6. (with apologies to the Little River Band)

    An open source AV program called ClamXav is available for PPC G3,4 & 5 Macs. It has a standard scan mode and an active background monitor. Install the app, the engine, update the definitions, set up your scan & update prefs, tell it what files/folders you want it to scan and you are in business.
    Definitions for the stuff getting all the attention this week ARE in the current definitions file. Remember to update the definitions after you install. Remember to launch the Sentry after you do your setup and it will launch on login and actively monitor whatever folders you choose. Dropping a user’s home folder would be a good and easy choice for non-Admin users.

    The software has issues with Rosetta, so if you have a new Intel Mac, you will have to wait or look elsewhere. It is an open source app, so show the developer some love. A PayPal button is on the home page. The software is free.

    http://www.clamxav.com/

  7. Ok for those wondering what this Emailcheck says after they send you the file.

    They receive this Mail on your requirement. It contains the file Heise.jpg as appendix of file. If you open this file under Mac OS X with Apple Mail, a terminal application starts and implements the contained instructions. If no terminal opens windows or if you are asked, what them with the file to do to want, they are not directly vulnerable. To your protection you should open appendices of file in principle only if you requested these explicitly or that insures them personally well-known senders for example at the telephone reliably that the Mail comes from him and is harmless contents.

    Yippie! I’m protected!!

    Of course I boxed Ternimal.app like I mentioned in my previous post.

    (changed the .app to .zzzapp, put the app in a folder and “No access” to anything the permissions and then placed the folder in my System folder which needs admin access)

  8. Damn insiduous effect of Pop culture: i read ping’s explanation and what comes to mind upon reading “shebang”? William Hung…
    Kill me now ” width=”19″ height=”19″ alt=”downer” style=”border:0;” />

  9. I’d be more worried if any of this could even remotely happen without my ever touching the keyboard or clicking the mouse – which is more like what happens to M$ users when the latest e-mail worm wends its happy way through millions of Outlook address books simply by arriving in their inbox.

    Since these purported security breaches of OS X cannot do anything of the sort and from everything I’ve read and seen about such “exploits” – that some sort of user permission is required for ANYTHING of a detrimental nature to happen on my machine – I’ll take all the “run for the hills” warnings with a grain of salt. Not that I won’t pay attention to the threat and what’s going on, mind you, it’s just that I’m remaining skeptical that it’s a viable, spreadable threat.

    I just think it’s funny – okay, more sad than funny, really – that the major news outlets have glommed on to these puny reports and blown the whole thing so far out of proportion when compared to the astronomically large amount of actual physical and monetary damage that has been done by M$ and their Titanic of an OS and embedded browser and email client due to their lack of security when it comes to protection against worms and virii and trojans and malware and spyware and etc., ect…

  10. I’ve used MS OSes for going on 20 years now. In all that time I’ve seen maybe 4 or 5 viri/worms/trojans on my systems. Not bad for such a buggy insecure system. Why?

    “As usual, only accept and open files from vendors and Web sites that you know and trust.”

    The sage advice from MacDailyNews has been used by me and many others to avoid the worst of infection problems. Treat the internet like a dark alley, a good defense is the best offense. Wouldn’t think people would need this kind of advice in this day and age.

Reader Feedback

This site uses Akismet to reduce spam. Learn how your comment data is processed.