Safari vulnerability – Mail too

Heise Online has a further report on the Mac OS X/Safari vulnerability, claiming that it also affects Mail.

One user on the MacRumors forums notes that this makes it easy to write a worm that spreads via email. This would exploit the security hole (AKA “user friendly feature”) that Apple introduced to Address Book a while ago, where an application can quickly and easily read all your contact’s details without any user notification – something that I’ve been complaining is a potential security hole for some time.

  • http://speirs.org Fraser Speirs

    Completely agree on the potential for an Address Book worm. I think OS X should treat the AB database like the keychain – asking for user approval before apps can access it.

  • James Bailey

    The threat is much less for Mail.app than for Safari. The problem with Safari is that the worm can be downloaded without user interaction. A drive by download. This is the worst kind of browser exploit.

    With Mail.app the user has to double-click on the download to run it. Still not good but users shouldn’t be double-clicking on anything that comes through email. Though I admit that the lack of this kind of problem in the past might make users too confident.