Apple today released Security Update 2006-008 which is recommended for all users and improves the security of the following components:
• Quartz Composer
• QuickTime for Java
Security Update 2006-008 offers security improvements for QuickTime for Java, Quartz Composer (CVE-ID: CVE-2006-5681)
Available for: Mac OS X v10.4.8, Mac OS X Server v10.4.8
Impact: Visiting a malicious web site may lead to information disclosure
Description: Java applets may use QuickTime for Java to obtain the images rendered on screen by embedded QuickTime objects and upload them to the originating web site. When this facility is used in conjunction with Quartz Composer, it becomes possible to capture images that may contain local information. This update addresses the issue by disallowing Quartz Composer compositions in unsigned Java applets. Quartz Composer compositions continue to function locally. Applications and signed Java applets that utilize QuickTime and QuickTime for Java are unaffected. This issue does not affect systems prior to Mac OS X v10.4. It also does not affect the Windows platform.
Security Update 2006-008 is available via Software Update and also as standalone installers:
• More info and download link for Security Update 2006-008 (PPC) here.
• More info and download link Security Update 2006-008 (Universal) here.
Related articles:
Apple working with MySpace on QuickTime JavaScript worm fix – December 05, 2006
QuickTime JavaScript worm spreads via MySpace – December 04, 2006
Thanks for the heads up MDN.
Well alright, then.
Nothing more fun than a day full of updates!
Cool thanks MDN
My Quartz is snappier. Even my elastic bands are snappier!
my winkie is snappier!
UH OH! When Apple credited the finder, they didn’t refer to him as “Lord and Savior of this Enchanted Realm!” Guess they mistreated him, too.
Uncle Floyd is snappier!
Snap it pal!
“It also does not affect the Windows platform.” – No, Windows has its own problems…
still no software fix for the AirPort card in Core Duo MacBook Pros? The C2D’s got one. I guess early adopters get left out in the cold. Harumph!
Anyone else’s iSight discontinue working after applying this patch?
I have a G5 Quad.
I applied the patch and shutdown the machine for the night.
Powered up this morning, started iSight via Delicious Library.
iSight light came on but image froze and wouldn’t unfreeze.
I turned off/on iSight – iSight didn’t come back on.
Exited DL, tried iChat. No luck there.
Repaired disk permissions, still not working.
Recycled power by holding the power button (as recommended at another site). Nope.
My iSight is working fine – Although mine is built-in, so our setups are different. Figured I’d let you know anyway…
Thank you- I appreciate your response. It’s amusing this happened when standalone iSights are not available and my 12 month warranty ended two weeks ago. I’ll investigate and test some more this weekend.
Changed Firewire ports. iSight works fine now.