Security update 2006-001 + iTunes 6.04 available
Mail and Safari are among the fixes.
EDIT: Safari is still the same exact version/build. Doesn't appear to fix the vulnerability either.
Security Update 2006-001 is recommended for all users and improves the security of the following components:
apache_mod_php
automount
Bom
Directory Services
iChat
IPSec
LaunchServices
LibSystem
loginwindow
Mail
rsync
Safari
Syndication
EDIT: Safari is still the same exact version/build. Doesn't appear to fix the vulnerability either.
Security Update 2006-001 is recommended for all users and improves the security of the following components:
apache_mod_php
automount
Bom
Directory Services
iChat
IPSec
LaunchServices
LibSystem
loginwindow
rsync
Safari
Syndication
Comments
Mail
CVE-ID: CVE-2006-0395
Available for: Mac OS X v10.4.5, Mac OS X Server v10.4.5
Impact: Download Validation fails to warn about unsafe file types
Description: In Mac OS X v10.4 Tiger, when an email attachment is double-clicked in Mail, Download Validation is used to warn the user if the file type is not "safe". Certain techniques can be used to disguise the file's type so that Download Validation is bypassed. This update addresses the issue by presenting Download Validation with the entire file, providing more information for Download Validation to detect unknown or unsafe file types in attachments.
Safari, LaunchServices
CVE-ID: CVE-2006-0394
Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS X v10.4.5, Mac OS X Server v10.4.5
Impact: Viewing a malicious web site may result in arbitrary code execution
Description: It is possible to construct a file which appears to be a safe file type, such as an image or movie, but is actually an application. When the "Open `safe' files after downloading" option is enabled in Safari's General preferences, visiting a malicious web site may result in the automatic download and execution of such a file. A proof-of-concept has been detected on public web sites that demonstrates the automatic execution of shell scripts. This update addresses the issue by performing additional download validation so that the user is warned (in Mac OS X v10.4.5) or the download is not automatically opened (in Mac OS X v10.3.9).
There's a bunch of unrelated Safari fixes, too - I guess Apple sicc'ed some engineers on it with a broad license to kill bugs. This is pretty quick - less than two weeks since the public report?
Originally posted by Towel
Excellent. It *does* address the LaunchServices, Mail and Safari vulnerabilities that caused the recent scare:
There's a bunch of unrelated Safari fixes, too - I guess Apple sicc'ed some engineers on it with a broad license to kill bugs. This is pretty quick - less than two weeks since the public report?
Thank you for the link you've put in.
I am aware that no OS is "safe", even Apple's Mac OS X.
By no means.
But i wasn't aware that there are so many "holes" being identfied.
It actually seems to me that it is only a matter of time
when some exploits seriously gonna (ab)used. No question
of whether, but when.
Funny thing i found at the bottom of the last page:
Distinguishing legitimate and malicious applications
Where you got the file is the most important indicator. Only download and install applications from trusted sources, such as well-known application publishers, authorized resellers, or other well-known distributors. It is also advisable to use antivirus software to scan any files before installation. A selection of third-party products may be found at the Macintosh Products Guide.
The bottom line is, Apple is aware of some security issues.
They even go so far to advise Anti-Virus Software.
Hear hear.