The flaw, which also affects the Safari browser and iChat instant messenger program, was part of the Tiger OS and was patched by Apple last year in March. Before the patch, users could infect their machines by simply clicking on mail attachments posing as harmless .jpeg images. In fact, the so-thought images were disguised executable programs.

Apple’s fix would make the Tiger OS to inspect the attached files and warn the user if it detected any trace of foul play on the filed clicked by the user.

Unfortunately, Heise Security has some bad news for Leopard users. Apparently, the feature failed to catch the release train, or if it indeed caught it, the ride is anything but as it should be:

In tests performed byheiseSecurity, the Terminal window opened directly in most cases when the attachment to the Emailcheck test email was opened. In only one email this occurred the first time the attachment was opened, but subsequent double-clicks suddenly caused the expected confirmation dialogue to be displayed. The test emails are identical except for the subject line and some administrative information in the header.”

Over 2 million copies of Leopard have already been sold.