Sylvain lets us know of his thoughts and tests about the leak found in Safari.
I downloaded and tested the demonstration virus linked in a former news item.Note that there's also been evidence the same problem occurred
It actually works: Terminal opens and displays the inside of my Home folder. Then I tried to create one based on the same model with the Terminal (I want it to create a "Dummy" folder in my Home directory). However when I double-click on the file ("virus.jpg", 36 Bytes) the system tries to open it with Preview, unsuccessfully of course.
Trying to find out why, I remember the Type/Creator parameters inherited from OS9. Could it be the key? I checked with ResEdit, but no answer came from that direction.
Then I noticed that the downloaded file (Heise.jpg) contains a resource fork (also inherited from Mac OS 9) of more than 1KB (and 76 Byte for the data fork). Resorting to ResEdit, I opened the resource fork and there - hey surprise! - was a resource called "usro" containing some code (1,028 characters) showing the way to Terminal.app, which is the reason why when you move Terminal, the attempt will be unsucessful.
Indeed this is not one but two security leaks in Mac OS X and Safari. Actually, Safari should only unzip the file but certainly not open it (this functionality apparead with Dashboard for the download of widgets). On the system's side, OSX's mistake is to read and run the resource fork prior to opening the file.
I'm starting to believe Apple are right in their decision to get rid of Mac OS 9 (Classic).
with Mail.app.
