Apple’s Patched Mail Flaw Resurfaces in Leopard OS
An already patched vulnerability in Apple Mail has resurfaced to trouble users of the e-mail program on Apple's latest operating system Mac OS X 10.5, also called 'Leopard'.
The flaw relates to the manner in which the mail deals with image attachments. Anyone exploiting the vulnerability could create a JPEG attachment, which, if clicked, installs a malicious code onto the victim's affected system, while the default warning message does not appear.
The security flaw therefore lets the attacker to spread his malware to users in the guise of an e-mail attachment that appears as an image very effectively. But according to Heise Security, while this vulnerability is specific to the latest version of Apple's OS, it is far from new.
Apple had patched this very flaw for Leopard's preceding version, Mac OS 10.4 Tiger in 2006. However, in the case of the 'Tiger', when a computer user clicks on the attachment, a message rather than an image pops up warning about the file being an executable one.
It seems Apple either missed incorporating this alert update into Mac's Leopard or failed to do it accurately, commented Heise Security.
During Heise's e-mail tests, it was found that the alert window was displayed in almost all cases, when the e-mail attachment was clicked. But there was one instance where although the window displayed initially, it did not come up on further clicks on the attachment. The e-mails Heise used for the tests were the same, only the subject line and certain administrative details in the header were changed.
Researcher Kevin Long at Verizon Business, who works on Apple software's security issues, said that people might think that once Apple had fixed the flaw in Tiger, why they would do it again for Leopard. This is what, in fact, happened unfortunately, Long remarked, as published in news TheRegister in the fourth week of November 2007.
The bug, when in its original form, remained in Mac OS for several years until Apple eventually fixed it.
In the third week of November 2007, Apple issued security patches for Panther, Tiger and Leopard - the recent successive versions of Mac OS.
Related article: Apple Patches QuickTime 13 Month Old Flaw
» SPAMfighter News - 07-12-2007