Mac OS X Leopard Quarantine Bug Allows Users to Launch Malicious
Attachments in Mail

Exploit: OSX.Exploit.MetaData.B
Discovered: November 20, 2007
Risk: Low

http://www.intego.com/news/ism0706.asp

Description:

Mac OS X 10.5, Leopard, provides a “quarantine” system that alerts users
when they attempt to open applications that arrived via Mail, Safari or
iChat, or that came in disk images via these programs. It also alerts users
the first time they launch any other application they have installed or
manually added to their Applications folder. This system should inform
users of all cases when such executable files are being opened, but a bug
in the quarantine system, discovered by Heise Security on November 20,
2007, can allow users to launch attachments, which may be malicious, from
Mail.

The principle behind this system is Leopard’s LaunchServices database,
which records all applications or executable files that are added to a
user’s Mac. However, when some executable attachments arrive by e-mail,
this protection does not operate correctly. The current proof-of-concept
example is a shell script in a file with a .jpg extension. The file also
contains such information as a resource fork, telling which application
should open it (in this case, Terminal). The file also has appropriate
executable permissions.

Within Mail, this file shows as an attachment with a JPEG icon showing that
Preview will open it. But attempting to view the file with Quick Look shows
that it is not an image file.

A user receiving this file might be tempted to click it to see what it
contains. While this proof of concept merely displays some text in a
Terminal window, it would be simple to create a similar file with a single
command that, when executed in Terminal, would delete all of the user’s
files.

When a user clicks on an attachment to an e-mail message in Mail, the
program stores a copy of the attachment in the user’s Library/Mail
Downloads folder. This folder allows the Finder to then open the
attachment. When malicious attachments arrive in Mail containing a script
and a resource fork (its usro resource tells the Finder to open the file
with a specific application), a user can open these attachments once
without Mac OS X displaying the quarantine alert. When a user opens the
attachment at a later time, this alert displays, saying that the attachment
may be an application, and informing the user that it will be opened by
Terminal.

The bug causing this has to do with the way Leopard manages quarantines.
The first time a user opens an attachment, Mail opens the file directly
without passing through the quarantine system. Subsequent openings of the
same attachment cause Mail to no longer open the attachment directly, but
rather open the file it has saved in the Mail Downloads folder.

If a user receives a second message with the same attachment, the situation
is worse: they will receive no alert at all. Since the attachment has been
saved to the Mail Downloads folder, but from a different message, Mail does
not attempt to open the original attachment, but makes a copy of it (named:
(attachment name)-1, (attachment name)-2, etc.), and opens this attachment
with no warning.

Until this bug is corrected in Mac OS X 10.5, Mac users are at risk of
receiving maliciously crafted files, pretending to be image files, which
could delete all of a user’s files, or may contain Trojan horses. It is
important that users do not open attachments from unknown senders,
especially those that come with spam messages.

Intego VirusBarrier X4 with its virus definitions dated November 21, 2007
protects against this problem. Since this bug allows maliciously crafted
files to execute with a single click from Mail, users are advised to check
for new virus definitions regularly, with NetUpdate, to make sure that they
are protected against any new exploits that may arrive.