Security Patch 2005-001

Apple on a change in computing the Message-ID of mail messages, as per the Security Update 2005-001 released by Apple on January 25th:

Component: Mail Available for: Mac OS X v10.3.7 Client, Mac OS X Server v10.3.7 CVE-ID: CAN-2005-0127 Impact: Email messages sent from a single machine can be identified Description: A GUUID containing an identifier associated with the Ethernet networking hardware was used in the construction of an RFC-822 required Message-ID header. Mail now hides this information by computing the Message-ID using a cryptographic hash of the GUUID concatenated with data from /dev/random. Credit to Carl Purvis for reporting this issue.

I remember having seen the GUUID Message-ID before and it definitely puzzled me. The interesting is: The same basically applies for iCal as well! If you look at any iCal generated Event, you will find the same kind of GUUID as in Mail:

BEGIN:VEVENTDTSTART;VALUE=DATE:19481024DTEND;VALUE=DATE:19481025SUMMARY:Emmet Browns birthdayUID:DFCF06F0-3094-11D8-B376-000A955E4630RRULE:FREQ=YEARLY;INTERVAL=1END:VEVENT

I hope they’ll fix this too: the very same UID is used when one publishes a calendar from within iCal or sends a meeting invitation.

comments powered by Disqus