Security update 2006-001 + iTunes 6.04 available

outsideroutsider
Posted:
in macOS edited January 2014
Mail and Safari are among the fixes.



EDIT: Safari is still the same exact version/build. Doesn't appear to fix the vulnerability either.



Security Update 2006-001 is recommended for all users and improves the security of the following components:

apache_mod_php

automount

Bom

Directory Services

iChat

IPSec

LaunchServices

LibSystem

loginwindow

Mail

rsync

Safari

Syndication

Comments

  • Reply 1 of 4
    theapplegeniustheapplegenius Posts: 584member
    we're going on a new iTunes once a week!
  • Reply 2 of 4
    gene cleangene clean Posts: 3,481member
    Lots of holes to fill.
  • Reply 3 of 4
    toweltowel Posts: 1,479member
    Excellent. It *does* address the LaunchServices, Mail and Safari vulnerabilities that caused the recent scare:

    Quote:

    Mail



    CVE-ID: CVE-2006-0395



    Available for: Mac OS X v10.4.5, Mac OS X Server v10.4.5



    Impact: Download Validation fails to warn about unsafe file types



    Description: In Mac OS X v10.4 Tiger, when an email attachment is double-clicked in Mail, Download Validation is used to warn the user if the file type is not "safe". Certain techniques can be used to disguise the file's type so that Download Validation is bypassed. This update addresses the issue by presenting Download Validation with the entire file, providing more information for Download Validation to detect unknown or unsafe file types in attachments.



    Quote:

    Safari, LaunchServices



    CVE-ID: CVE-2006-0394



    Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS X v10.4.5, Mac OS X Server v10.4.5



    Impact: Viewing a malicious web site may result in arbitrary code execution



    Description: It is possible to construct a file which appears to be a safe file type, such as an image or movie, but is actually an application. When the "Open `safe' files after downloading" option is enabled in Safari's General preferences, visiting a malicious web site may result in the automatic download and execution of such a file. A proof-of-concept has been detected on public web sites that demonstrates the automatic execution of shell scripts. This update addresses the issue by performing additional download validation so that the user is warned (in Mac OS X v10.4.5) or the download is not automatically opened (in Mac OS X v10.3.9).



    There's a bunch of unrelated Safari fixes, too - I guess Apple sicc'ed some engineers on it with a broad license to kill bugs. This is pretty quick - less than two weeks since the public report?
  • Reply 4 of 4
    vox barbaravox barbara Posts: 2,021member
    Quote:

    Originally posted by Towel

    Excellent. It *does* address the LaunchServices, Mail and Safari vulnerabilities that caused the recent scare:

    There's a bunch of unrelated Safari fixes, too - I guess Apple sicc'ed some engineers on it with a broad license to kill bugs. This is pretty quick - less than two weeks since the public report?



    Thank you for the link you've put in.

    I am aware that no OS is "safe", even Apple's Mac OS X.

    By no means.

    But i wasn't aware that there are so many "holes" being identfied.

    It actually seems to me that it is only a matter of time

    when some exploits seriously gonna (ab)used. No question

    of whether, but when.



    Funny thing i found at the bottom of the last page:



    Quote:

    Distinguishing legitimate and malicious applications



    Where you got the file is the most important indicator. Only download and install applications from trusted sources, such as well-known application publishers, authorized resellers, or other well-known distributors. It is also advisable to use antivirus software to scan any files before installation. A selection of third-party products may be found at the Macintosh Products Guide.



    The bottom line is, Apple is aware of some security issues.

    They even go so far to advise Anti-Virus Software.

    Hear hear.
Sign In or Register to comment.