I saw this thread when you posted, but didn't get a chance to test it until now.
It looks like Apple has indeed revived this hole. Idiots.
Thanks for pointing it out.
Edit: Ok, it might not be as bad a threat to most people since it only seems to run without warning if "Terminal.app" is already running - which wouldn't be the case for most people. But I still consider it to be serious.
Yeah, I don't get it. They have already done the hard part - the system seems to correctly identify an attachment as a programme or script. It can even tell the difference between eg. a jpeg with executable privileges and a 'usro' from a shell script with with a 'usro'. All they have to do is set giving a "possible program" an executable icon as the overriding rule to decide what icon a file displays.
In "Finder", a disguised script displays any custom icon assigned to the file. In Mail, any icon displays an icon based on its file extension. What an inconsistent mess.
But I consider that a separate issue. In this case, I consider the bug to be strictly a "Mail.app" bug - the warning that is otherwise displayed is missed if "Terminal.app" is already running.
Yep this is a mail.app only bug for sure, it's trusting the mime-type set by the email sender and executing it accordingly. This is a no brainer that they should have fixed in Leopard a long time ago and very reminicent of microsoft (There were a lot of problems with Outlook with this exact same assumption). BUt on the bright side, at least Mail.app doesn't automatically execute them without user intervention (like Outlook used to do!)
1 - 5 of 5 Posts
This is an older thread, you may not receive a response, and could be reviving an old thread. Please consider creating a new thread.