Yesterday, Heise Security revealed that apparently Apple forgot to patch the security problem in Apple Mail that made it possible to inject disguised malignant code.

The flaw was discovered and patched in March 2006. By exploiting this flaw hackers could trick a user into launching an executable by double-clicking a mail attachment that looks like a JPEG image file.

Mac OS X 10.5, Leopard, provides a "quarantine" system that alerts users when they attempt to open applications that arrived via Mail, Safari or iChat, or that came in disk images via these programs. It also alerts users the first time they launch any other application they have installed or manually added to their Applications folder. This system should inform users of all cases when such executable files are being opened.

“On a current installation of the Tiger OS, Apple Mail issues a warning that the supposed image file is a program and is to be opened with Terminal. Apple apparently either did not incorporate this update into Leopard, or did not do it correctly.” Heise Security wrote in an advisory posted on its website.

They also offered a demo on how the vulnerability can be exploited.