Apple releases Security Update 2006-001 for Mac OS X; includes fixes for Safari, Mail, iChat issues

Apple today released Security Update 2006-001 which is recommended for all users (Mac OS X 10.3.9, Mac OS X 10.4.5) and improves the security of the following components:

• apache_mod_php
• automount
• Bom
• Directory Services
• iChat: A malicious application named Leap.A that attempts to propagate using iChat has been detected. With this update for Mac OS X v10.4.5 and Mac OS X Server v10.4.5, iChat now uses Download Validation to warn of unknown or unsafe file types during file transfers.
• IPSec
• LaunchServices
• LibSystem
• loginwindow
• Mail: n Mac OS X v10.4 Tiger, when an email attachment is double-clicked in Mail, Download Validation is used to warn the user if the file type is not “safe”. Certain techniques can be used to disguise the file’s type so that Download Validation is bypassed. This update addresses the issue by presenting Download Validation with the entire file, providing more information for Download Validation to detect unknown or unsafe file types in attachments.
• rsync
• Safari: It is possible to construct a file which appears to be a safe file type, such as an image or movie, but is actually an application. When the “Open `safe’ files after downloading” option is enabled in Safari’s General preferences, visiting a malicious web site may result in the automatic download and execution of such a file. A proof-of-concept has been detected on public web sites that demonstrates the automatic execution of shell scripts. This update addresses the issue by performing additional download validation so that the user is warned (in Mac OS X v10.4.5) or the download is not automatically opened (in Mac OS X v10.3.9). (More fixes in linked article below.)
• Safari, LaunchServices: Impact: Viewing a malicious web site may result in arbitrary code execution. Description: It is possible to construct a file which appears to be a safe file type, such as an image or movie, but is actually an application. When the “Open `safe’ files after downloading” option is enabled in Safari’s General preferences, visiting a malicious web site may result in the automatic download and execution of such a file. A proof-of-concept has been detected on public web sites that demonstrates the automatic execution of shell scripts. This update addresses the issue by performing additional download validation so that the user is warned (in Mac OS X v10.4.5) or the download is not automatically opened (in Mac OS X v10.3.9).
• Syndication

The Update is available via Software Update. Detailed information on this Update here.

MacDailyNews Note: For those who’ve moved their Terminal app out of /Applications/Utilities, you can put it back now after updating. grin

For the Safari exploit, the safe online demonstration provided by Heise Security that you can use to determine whether your system is affected is included in the article here. (Updated systems will display a dialog stating: “‘Heise.jpg’ may contain an application. The safety of this file cannot be determined. Are you sure you want to download ‘Heise.jpg’?” Users should simply cancel the download).

Advertisements:
Apple’s brand new iPod Hi-Fi speaker system. Home stereo. Reinvented. Available now for $349 with free shipping.
Apple’s new Mac mini. Intel Core, up to 4 times faster. Starting at just $599. Free shipping.
MacBook Pro. The first Mac notebook built upon Intel Core Duo with iLife ’06, Front Row and built-in iSight. Starting at $1999. Free shipping.
iMac. Twice as amazing — Intel Core Duo, iLife ’06, Front Row media experience, Apple Remote, built-in iSight. Starting at $1299. Free shipping.
iPod Radio Remote. Listen to FM radio on your iPod and control everything with a convenient wired remote. Just $49.
iPod. 15,000 songs. 25,000 photos. 150 hours of video. The new iPod. 30GB and 60GB models start at just $299. Free shipping.
Connect iPod to your television set with the iPod AV Cable. Just $19.

38 Comments

  1. HERE IS APPLE AT ITS BEST – viruses, worms, trojans – common let’s have ’em Sophos. I’m not buying thank you very much, Apple does a better job of protecting me than you ever could.

    There are now more more written articles about Apple malware than there are users affected by it.. 99.999% of us are just fine.

    Cracks me up.

  2. Yeah, I wonder if all of buggers who wrote gleeful articles about the “virus threats” to Macs are going to update or follow up writing about how godamned fast Apple fixed the “hole.”

    I also wonder if I will wake up tommorow and have a pile of money on the bedstand and the ability to fly.

    I think the latter is more likely.

  3. Does anyone have a link to the Leap.A trojan or the other proof of concept hacks, so that I can see the new safeguards in action? I’m doing a re-install in the next few days anyway, so it’s no problem is things go wrong…

  4. For those who’ve moved their Terminal app out of /Applications/Utilities, you can stop taking crazy pills! Why move around components on your system in response to a therotical threat that has no one has ever experienced? The day that any significant number of mac users report having issues with their machines, I will take steps to make mine as safe as possible. Until then I’m not going to assume that of the 16 million OS X users I am going to be the first one to come upon a malicious attack, and if I am, hell, that’s my name in the record books.

    No one took advantage of this whole, no one was effected. Those of us who didn’t move our terminal out of the applications folder had the exact same number of problems as those who did:0.

  5. Hey kids! Just for kicks, let’s take a look at all the scaaaaary “vulnerabilities” this patch fixes! After all, as we know, Mac OS X has just as many vulnerabilities as Windows XP, and we silly Mac users are deluding ourselves, thinking we’re safe. Right? Right! So let’s take a look on the Apple page linked at the top:

    — apache_mod_php: Uh-oh, there’s a hole in PHP! Good thing the web server is disabled by default, huh?
    — automount: File servers on the local network may be able to cause Mac OS X systems to mount file systems with reserved names! Oh dear oh dear! My local network was vulnerable! This means if someone broke into my house and somehow logged onto my Mac, he could do nasty things to my iBook, as long as it was also turned on and connected! How unsafe the Mac is!
    — BOM: Some nasty person could have made an archive, and when I uncompressed it, the files could have been written to a totally different directory! As long as I have write authority to that directory. So, not the system or anything. But, they could put porn in my Pictures directory! Horror!
    — Directory Services: “Malicious local users may create and manipulate files as root”! Oh no! If I had any other local users, I’d be peeing my pants right now!!
    — FileVault: Oops, a bug allowed files to be accesses the first time FileVault was turned on. So if a bad person was really lucky and snuck up to the keyboard while I was going to the bathroom, he could read my stuff!

    Look, it goes on like that. Check out the page, you’ll see what I mean. With the exception of the two biggies, most of these “vulnerabilities” are an issue only for folks on big networks where you can’t keep track of everyone using the system. In other words, home users were unlikely ever to be affected.

    So the next time the local WinTroll wants to compare security patches, remind him that not all vulnerabilities are created equal. These things aren’t like anything on the scale of the holes in Windows that allow hackers to take over your machine 5 minutes after you plug in the Internet.

Reader Feedback

This site uses Akismet to reduce spam. Learn how your comment data is processed.