Researchers at heise-security have found a flaw in the new Mac OS Leopard’s mail client. It has to do with the way apple mail handles image attachments.

Files on a Mac can contain additional information like what program should be used for opening a file. The OS store these in the file system in “resource fork”, which is linked to the file. This type of informatin is most cases limited to the local system but for emails the MIME format apple allows resource forks to be attached which are then automatically read by Apple Mail.

Attacker can easily create an attachment with .jpg extension with a JPEG icon. But when a user opens the picture, mail will automatically execute the command depending on the resource fork. This can harm the user’s computer without the user even being aware of it.For more info visit heise-security.