The Mail application supplied with Apple's Mac OS X operating system identifies the system from which any electronic mail is sent.
Mac OS X includes the Mail application for handling electronic mail. This application does include the Media Access Control (MAC) address of a network interface in the Message-ID header, which discloses the system which sent the mail.
This flaw makes it possible to identify the system that has sent a given piece of electronic mail with the Mail application. An intruder may use this information, which is usually transmitted in cleartext and received on a remote system, to deduce a valid MAC address to use on a foreign network in order to gain access. This value may also be used to deduce the sender of anonymized or privatized mail.
Apply a patch
Apple advises all users to apply Apple Security Update 2005-001, as it fixes this flaw and other critical security flaws. More information can be found at:
Thanks to Apple Product Security for reporting this vulnerability. Apple, in turn, gives thanks to Carl Purvis for originally reporting this vulnerability.
This document was written by Ken MacInnis.
|Date First Published:||2005-01-31|
|Date Last Updated:||2005-01-31 19:48 UTC|