Apple today released Security Update 2006-001 which is recommended for all users (Mac OS X 10.3.9, Mac OS X 10.4.5) and improves the security of the following components:
• apache_mod_php
• automount
• Bom
• Directory Services
• iChat: A malicious application named Leap.A that attempts to propagate using iChat has been detected. With this update for Mac OS X v10.4.5 and Mac OS X Server v10.4.5, iChat now uses Download Validation to warn of unknown or unsafe file types during file transfers.
• IPSec
• LaunchServices
• LibSystem
• loginwindow
• Mail: n Mac OS X v10.4 Tiger, when an email attachment is double-clicked in Mail, Download Validation is used to warn the user if the file type is not “safe”. Certain techniques can be used to disguise the file’s type so that Download Validation is bypassed. This update addresses the issue by presenting Download Validation with the entire file, providing more information for Download Validation to detect unknown or unsafe file types in attachments.
• rsync
• Safari: It is possible to construct a file which appears to be a safe file type, such as an image or movie, but is actually an application. When the “Open `safe’ files after downloading” option is enabled in Safari’s General preferences, visiting a malicious web site may result in the automatic download and execution of such a file. A proof-of-concept has been detected on public web sites that demonstrates the automatic execution of shell scripts. This update addresses the issue by performing additional download validation so that the user is warned (in Mac OS X v10.4.5) or the download is not automatically opened (in Mac OS X v10.3.9). (More fixes in linked article below.)
• Safari, LaunchServices: Impact: Viewing a malicious web site may result in arbitrary code execution. Description: It is possible to construct a file which appears to be a safe file type, such as an image or movie, but is actually an application. When the “Open `safe’ files after downloading” option is enabled in Safari’s General preferences, visiting a malicious web site may result in the automatic download and execution of such a file. A proof-of-concept has been detected on public web sites that demonstrates the automatic execution of shell scripts. This update addresses the issue by performing additional download validation so that the user is warned (in Mac OS X v10.4.5) or the download is not automatically opened (in Mac OS X v10.3.9).
• Syndication
The Update is available via Software Update. Detailed information on this Update here.
MacDailyNews Note: For those who’ve moved their Terminal app out of /Applications/Utilities, you can put it back now after updating. 
For the Safari exploit, the safe online demonstration provided by Heise Security that you can use to determine whether your system is affected is included in the article here. (Updated systems will display a dialog stating: “‘Heise.jpg’ may contain an application. The safety of this file cannot be determined. Are you sure you want to download ‘Heise.jpg’?” Users should simply cancel the download).
Advertisements:
• Apple’s brand new iPod Hi-Fi speaker system. Home stereo. Reinvented. Available now for $349 with free shipping.
• Apple’s new Mac mini. Intel Core, up to 4 times faster. Starting at just $599. Free shipping.
• MacBook Pro. The first Mac notebook built upon Intel Core Duo with iLife ’06, Front Row and built-in iSight. Starting at $1999. Free shipping.
• iMac. Twice as amazing — Intel Core Duo, iLife ’06, Front Row media experience, Apple Remote, built-in iSight. Starting at $1299. Free shipping.
• iPod Radio Remote. Listen to FM radio on your iPod and control everything with a convenient wired remote. Just $49.
• iPod. 15,000 songs. 25,000 photos. 150 hours of video. The new iPod. 30GB and 60GB models start at just $299. Free shipping.
• Connect iPod to your television set with the iPod AV Cable. Just $19.
I hate it when my trojan breaks…
“PAGING A ‘MACDUDE’. PAGING A ‘MR. BORING MACDUDE’.
MR. MACDUDE, PLEASE COME TO THE BAKERY SECTION OF THE SUPERMARKET AND PICK UP YOUR FRESH PIE.
MR. MACDUDE, YOUR PIE IS READY. ONE HUMBLE PIE FOR A MR. BORING MACDUDE.
AND TO EVERYONE ELSE, ENJOY YOUR DAY AND THANKS FOR SHOPPING AT REALITY WORLD.”
Updated systems will display a dialog stating: “‘Heise.jpg’ may contain an application. The safety of this file cannot be determined. Are you sure you want to download ‘Heise.jpg’?” Users should simply cancel the download.
But if they don’t read the box or if they are like most users and just click “Yes” to anything, Heise.jpg will still run as a program? That’s the problem I want fixed.
Somebody make a list of all the sites that said Mac OS X was doomed. Then we can all write them and ask them to publish a story about how fast Apple fixed the “problem”.
I would but… I’m lazy.
Jooop,
You want Apple to have Mac OS X prevent users from installing programs?
I think you’re supposed to be a Windows user, dude. And stop the huffing immediately.
MDN MW: “death” (not kidding – that’s some scary magic)
even more important to me:
this update fixed my system wide spell checker that had for some reason stopped working. it works again. Also, I was unable to edit document names from the finder (couldn’t click on their names and type something else in). Now that is fixed too.
Weeee.
You want Apple to have Mac OS X prevent users from installing programs?
No, I want Apple to have Mac OS X prevent programs that have the extension of a picture and the icon of a picture from running as programs when they’re double clicked. I don’t think that’s too hard or too much to ask. On Windows if you rename heise.exe to heise.jpg, it won’t run. I don’t think heise.app renamed to heise.jpg should run on Mac OS X either.
Mac OS X allows a program to have its icon changed to that of a harmless file, and its extension changed to that of a harmless file, and STILL RUN AS A PROGRAM WHEN IT’S DOUBLE-CLICKED. I don’t want another dialog box asking me “Are you really really sure?” I want a real fix for this obvious and glaring issue.
I’m updated and didn’t get a warning from the Heise site..how come???
Joop,
after updating, i downloaded the heise test file (which is a zip archive) i double clicked it, which created a heise.jpg with a jpg icon. there was no preview (i always use column view) and when i double clicked it, preview said it could not open the file it may corrupt or not a format it understands.
is this what you wanted?
MW : post – i thought i would try it and post my results
For anyone that thought this was a quick response to a rather serious security flaw, you are crazy. Don’t get me wrong, I love my Macs, but for a company that needs to get into the enterprise market, this was simply a poor showing. Maybe next time around (and you would be a fool to believe this is the last exploit) apple will handle it in either a much faster response or a much more complete fix.
iMac
after updating, i downloaded the heise test file (which is a zip archive) i double clicked it, which created a heise.jpg with a jpg icon. there was no preview (i always use column view) and when i double clicked it, preview said it could not open the file it may corrupt or not a format it understands
I’m getting the ssame thing, it doesn’t seem to have done anything!
is this what you wanted?
That’s exactly what I wanted to hear. Thank you.
If only Microsoft could patch their security flaws as quickly as Apple. Is there a website that tallies “Current Security Flaws” for OS X, Windows, and Linux post patch releases?