Also works in Mail.app
(Score:5, Informative)
by daveschroeder (516195)
on 10:27 AM February 21st, 2006 (#14767730)
(http://das.doit.wisc.edu/)
You can send this same shell script masquerading as a JPG file and shown as such by Mail.app, and it gets executed as soon as it is clicked/viewed in Mail.app (obviously not affected by Safari's "safe files" setting).
You can test this by downloading this harmless exmaple:
http://www.heise.de/security/dienste/browsercheck/ demos/safari/Heise.jpg.zip [heise.de]
...and sending the resulting JPG to yourself in Mail.app.
This is rooted in something that has been true about Mac OS in general for over 22 years, which is that any file or document - including executables - can have any icon. Other elements of the OS (such as the Get Info window) properly identify it as a Terminal document (shell script), and show that it is opened with Terminal, but most users won't see or understand this.
I'd expect a security update that addresses this *very* soon. This is a bad one.
[ Reply to This ]
The Slapdash post is more troubling than the original report.