Intego Security Memo: Mac OS X Leopard Quarantine Bug Allows Users to Launch Malicious Attachments in Mail
November 2007 by Intego Security Alert
Discovered: November 20, 2007
Description: Mac OS X 10.5, Leopard, provides a “quarantine” system that alerts users
when they attempt to open applications that arrived via Mail, Safari or iChat, or that came in disk images via these programs. It also alerts users the first time they launch any other application they have installed or manually added to their Applications folder.
This system should inform users of all cases when such executable files are being opened, but a bug in the quarantine system, discovered by Heise Security on November 20, 2007, can allow users to launch attachments, which may be malicious, from Mail.
The principle behind this system is Leopard’s LaunchServices database, which records all applications or executable files that are added to a user’s Mac. However, when some executable attachments arrive by e-mail, this protection does not operate correctly. The current proof-of-concept example is a shell script in a file with a .jpg extension. The file also contains such information as a resource fork, telling which application should open it (in this case, Terminal). The file also has appropriate executable permissions. Within Mail, this file shows as an attachment with a JPEG icon showing that Preview will open it. But attempting to view the file with Quick Look shows that it is not an image file:
A user receiving this file might be tempted to click it to see what it contains. While this proof of concept merely displays some text in a Terminal window, it would be simple to create a similar file with a single command that, when executed in Terminal, would delete all of the user’s files.
When a user clicks on an attachment to an e-mail message in Mail, the program stores a
copy of the attachment in the user’s Library/Mail Downloads folder. This folder allows
the Finder to then open the attachment. When malicious attachments arrive in Mail
containing a script and a resource fork (its usro resource tells the Finder to open the file
with a specific application), a user can open these attachments once without Mac OS X
displaying the quarantine alert. When a user opens the attachment at a later time, this
alert displays, saying that the attachment may be an application, and informing the user
that it will be opened by Terminal.
The bug causing this has to do with the way Leopard manages quarantines. The first
time a user opens an attachment, Mail opens the file directly without passing through
the quarantine system. Subsequent openings of the same attachment cause Mail to no
longer open the attachment directly, but rather open the file it has saved in the Mail
If a user receives a second message with the same attachment, the situation is worse:
they will receive no alert at all. Since the attachment has been saved to the Mail
Downloads folder, but from a different message, Mail does not attempt to open the
original attachment, but makes a copy of it (named: