Sidebar Sidebar
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

Vunerablity found in Leopard Mail.app

RedTomato

RedTomato

macrumors 601
Original poster
Mar 4, 2005
4,162
446
.. London ..
According to The Register, a large vulnerability has been found in Leopard's mail.app allowing attackers to run malicious code on a victim's machine by disguising an executable program as an image or other type of innocuous file.

It uses a security hole that was fixed in OSX 10.4 Tiger in March 2006, but seems to have been re-opened in OSX 10.5 Leopard.

There is a demo of how the bug works at Heise Security.

It works by the attacker sending you an email with an attachment that claims to be a safe file eg a .jpg, but is actually an executable program. A user can become infected simply by clicking on an attachment that looks like a jpeg image.

A patched version of Tiger will flag up this kind of file as possibly unsafe. Leopard does not, and will run it automatically.

Register article
 
Interesting, i just tested mine on 10.5.1 and

heise Security: You are vulnerable.
Click to expand...

Wonder how they managed to reopen it without knowing. This is a poor inditement on their security controls.
 
arkitect said:
I was about to click on it when I thought to myself:

"Hmmmmmm: Here I am carelessly about to open an attachment from an unverified (to me) source… :eek::eek:"
Click to expand...

I thought that but then i also thought this is a second machine with a full backup so I just pressed it.

Nothing much happens not really worth doing it.
 
The point of opening the attachment is just to prove that the vulnerability exists. I'm not on a mac at present, but I'd imagine it just displays a notice saying "you are vulnerable" or similar.

Has anyone tried it on 10.4.11 to see if the problem has been reintroduced there?

Also, I think this should really be on the front page of mac rumours, as it's a potentially nasty problem.
 
Oh, one other thing - this issue doesn't mean that your system can be totally compromised by one of these attachments. I think that anything that wanted to change the system in any way or install something permanent wouldn't have rights to do it - i.e. it would still ask for your password. And you'd have to be pretty stupid to give your password over to a picture!

If somebody finds a local privilege escalation bug (which does happen fairly often), then the two combined would be a BIG risk as the code would run without any warning and then gain access to the system without your password. Hurry up with a fix apple!
 
I ran the demo on a system running 10.3.9

Email arrives from heise with dodgy .jpg attachment.

Click on .jpg attachment.

OSX flags up a warning:

"The attachment “Heise.jpg” is an application. Since applications can contain viruses or be harmful to your computer, be sure this attachment is from a trustworthy sender before saving or opening it."

I gather this is the correct behavior, warning me that what appears to be a .jpg is in fact an application.

(I ignored the warning and opened the file. It just opened a Terminal window and activated a file listing, and then at the end, displayed a warning that the system was vulnerable)

I don't have a Leopard system to test this on, but my understanding is that in Leopard, Mail.app opens the .jpg automatically and runs it with no warning.

Can xUKHCx confirm that he received no warning?

EDIT: why isn't this thread appearing in the Mac Software threads box on the front page?
 
RedTomato said:
I gather this is the correct behavior, warning me that what appears to be a .jpg is in fact an application.
...
I don't have a Leopard system to test this on, but my understanding is that in Leopard, Mail.app opens the .jpg automatically and runs it with no warning.
Click to expand...

You're getting the correct warning there yes. It should do the same on leopard, and apparently it DOES warn you, but only 10% of the time (the rest of the time it just runs). People have confirmed that on the comments to the original story at the register.
 
psonice said:
Oh, one other thing - this issue doesn't mean that your system can be totally compromised by one of these attachments. I think that anything that wanted to change the system in any way or install something permanent wouldn't have rights to do it - i.e. it would still ask for your password. And you'd have to be pretty stupid to give your password over to a picture!
Click to expand...

Most apple users that I know would indeed type in their password if a .jpg asked for it.

I'm not calling them stupid - some are more intelligent than me. It's just that computers are not one of the core focuses of their life like it is for you and me.
 
psonice said:
I think that anything that wanted to change the system in any way or install something permanent wouldn't have rights to do it - i.e. it would still ask for your password.
Click to expand...
The script which executes could just edit ~/Library/Preferences/loginwindow.plist to change login items, no? Which means it could install a binary that runs wherever you're logged in, that turns your machine into a zombie for sending spam / launching DDoS / searching for personal data / whatever, and spreads by trolling your address book and sending e-mail. By initiating outgoing connection to some control server, any incoming firewall rules are bypassed (Little Snitch may be your friend here). A real trojan would also automatically extract and pop up a JPEG so, to the user, it looked like you were simply opening a JPEG.

Just because something hasn't obtained root, it doesn't mean it's harmless. Mac users are lucky in that their platform hasn't reached the critical mass needed for such things to be profitable. It seems both MS and Apple have got on the "ignore MIME type + extension combination and find some other clever way to decide what program to run" bandwagon, and it's got them both in trouble. If a .jpg doesn't have MIME type image/jpeg or there is any indication to override default JPEG viewing behaviour, something's awry and Mail should respond to opening of the attachment by displaying a facepalm.
 
Hmm.. I'd have to say giving your password over to open a picture counts as stupid. Not to say that I wouldn't do something equally stupid if I was working on something I'm not so familiar with mind, so I certainly accept your point :)

Sometimes though, making that stupid mistake is the best way to learn. Admittedly, having to change all your bank accounts or something would be a bit harsh, but it sure would make you learn a bit about security!
 
Veri said:
The script which executes could just edit ~/Library/Preferences/loginwindow.plist to change login items, no? Which means it could install a binary that runs wherever you're logged in, that turns your machine into a zombie for sending spam / launching DDoS / searching for personal data / whatever, and spreads by trolling your address book and sending e-mail. By initiating outgoing connection to some control server, any incoming firewall rules are bypassed (Little Snitch may be your friend here). A real trojan would also automatically extract and pop up a JPEG so, to the user, it looked like you were simply opening a JPEG.
Click to expand...

I'd have thought that it would require permission before setting something to run at login. If not, that's another security flaw really. Even if not though, it could certainly sit there firing out spam or whatever, and it would presumably have access to your files. Or would the mail.app sandboxing prevent that too?

Can somebody modify the script a little and get it to make a few changes to see what can be done?

Re. the file extension thing - I actually think file extensions are a bad idea. Back in the olden days on the amiga, the OS would scan files to determine the file type. You didn't need extensions at all. The file icon shows you what the file is with no potential misleading labels (at least not easily).
 
psonice said:
Or would the mail.app sandboxing prevent that too? Can somebody modify the script a little and get it to make a few changes to see what can be done?
Click to expand...
I've just modified the script to successfully write to ~/Library/Preferences/loginwindow.plist, and to /Applications (in the admin group), so there seems to be no sandboxing that prevents filesystem writes. Even though the original demo executed ls, I was feeling hopeful for a moment :(.

Back in the olden days on the amiga, the OS would scan files to determine the file type.
Click to expand...
While it might be good as an extra check, detecting filetypes in this way is heuristic and resource-intensive; also consider that with IMAP, you might not even have downloaded the attachment when you're reading the text part. There's an argument for having filetype as part of metadata rather than extension, e.g. MIME types, but this goes against the (annoying, but highly interoperable) Unix "everything is a stream of bytes" philosophy.
 
psonice said:
The point of opening the attachment is just to prove that the vulnerability exists. I'm not on a mac at present, but I'd imagine it just displays a notice saying "you are vulnerable" or similar.
Click to expand...

See the second post.

RedTomato said:
Can xUKHCx confirm that he received no warning?
Click to expand...


Oddly enough, the first time I opened the attachment I didn't get any warning but I just went and did it again and this time I received the following box.

Picture 1.png

Now I cant remember if the first time i opened it if that was on my iMac or the macbook. When I get home later on (in about 10 hours) I will try it on my iMac and see what happens. But I am adamant that the first time I opened it I received no such warning.
 
xUKHCx said:
Oddly enough, the first time I opened the attachment I didn't get any warning but I just went and did it again and this time I received the following box.
Click to expand...

The original report said that the warning DOES appear, but not every time. When they repeated the test, they were warned perhaps 10% of the time, which suggests that the fix is "there" but some kind of bug is stopping it working randomly. No idea if it needs a log off or a reboot or whatever to stop/start working.
 
xUKHCx said:
try running it again after a log out and a log in again, because you might get a warning the second time like I did.
Click to expand...

Well I did get the message with the jpg attachement, I double clicked on in to open and the first time the script ran in Terminal. Right after that, I did opened it again, and the pop up warning showed up saying:

“Heise.jpg” may be an application. It was attached to a mail message and will be opened by Terminal. Are you sure you want to open it?​

Scary, I do have ClamXav watching over the Mail Dowloads folder, I was hopping it would intercept... :( :eek:
 
If you double click on it, it asks for confirmation.
If you just click on the file without opening, it opens itself without confirmation :(
 
Rant

How many times does it need to be said?! Hidden file extensions are a terrible idea!

Pros:
- You don't have to think about what type of file it is.
- Lack of extension believed more aesthetic by some.

Cons:
- You won't think about what type of file it is. In other words, it encourages user ignorance and irresponsible file management practices.
- When you attach the file in an email it will often become useless as the recipient will not know what type of file it is. I have this experience frequently with people at work (I won't name names) and I have to send a second email asking "was that an AIF, a WAV, an MP3, an M4A? Or maybe an MPEG, an AVI, or a MOV?"
- Convenient delivery method for malicious software of all sorts.
- Means having to use "Get Info" instead of simply glancing at the file.
- The search criteria "By Extension" is rendered utterly useless.

Hey, we have a great thing called an extension that enables us to tell one type of file from another! Let's hide it...make life a bit more challenging! And then people can get creative and create fake extensions to trick other people! Wouldn't that be fan-*****-tastic! I'm going to send out a bunch of letters now and omit the addresses...I hope they make it to their destinations! After that I'm going to rename the folders on my hard drive from their intuitive names like "Documents" to "Xr1f5TizoOeMWxZi12" - BECAUSE I LOVE HAVING TO GUESS!!!

:eek::eek::eek::eek::eek::mad::eek:
 
You must log in or register to reply here.
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.
Top Bottom
Back