Apple releases iTunes, Front Row, iPhoto, Security updates
Apple this afternoon released software updates for iTunes, Front Row, and iPhoto to coincide with new Front Row software features announced at Tuesday's media event. Security updates were also issued for both Mac OS X Tiger 10.4.5 and Mac OS X Panther 10.3.9.
iTunes 6.0.4
With iTunes 6, you can preview, buy, and download over 3,000 music videos and hit TV shows on the iTunes Music Store and sync your music and purchased videos with iPod to enjoy on the go. To watch purchased videos, you must have QuickTime 7.0.3 or later and Mac OS X 10.3.9 or later. iTunes 6.0.4 (19.5MB) addresses stability and performance issues related to Front Row.
Front Row 1.2.1
With Front Row, you can enjoy full-screen music, photos, videos, and DVDs on your Macintosh using a simple Apple remote control. This Front Row 1.2.1 (5.5MB) improves compatibility with iTunes and iPhoto sharing.
iPhoto 6.0.2
iPhoto has always been the best way to easily import photos from your digital camera, organize them for fast retrieval, and then share them with family and friends. iPhoto 6.0.2 (13.7MB) resolves several minor issues with playing shared slideshows in Front Row.
Security Update 2006-001 Mac OS X 10.4.5 (PPC)
Security Update 2006-001 (12.5MB) is recommended for all users and improves the security of the following components: apache_mod_php, automount, Bom, Directory Services, iChat, IPSec, LaunchServices, LibSystem, loginwindow, OpenSSH, rsync, Safari, and Syndication.
Security Update 2006-001 Mac OS X 10.4.5 (Intel)
Security Update 2006-001 (22.5MB) is recommended for all users and improves the security of the following components: apache_mod_php, automount, Bom, Directory Services, iChat, IPSec, LaunchServices, LibSystem, loginwindow, OpenSSH, rsync, Safari, and Syndication.
Security Update 2006-001 (10.3.9 Client)
Security Update 2006-001 (25.3MB) is recommended for all users and improves the security of the following components: apache_mod_php, automount, Bom, Directory Services, IPSec, LibSystem, loginwindow, perl, Safari.
Security Update 2006-001 (10.3.9 Server)
Security Update 2006-001 (38.6MB) is recommended for all users and improves the security of the following components: apache_mod_php, automount, Bom, Directory Services, IPSec, LibSystem, loginwindow, perl, Safari.
iTunes 6.0.4
With iTunes 6, you can preview, buy, and download over 3,000 music videos and hit TV shows on the iTunes Music Store and sync your music and purchased videos with iPod to enjoy on the go. To watch purchased videos, you must have QuickTime 7.0.3 or later and Mac OS X 10.3.9 or later. iTunes 6.0.4 (19.5MB) addresses stability and performance issues related to Front Row.
Front Row 1.2.1
With Front Row, you can enjoy full-screen music, photos, videos, and DVDs on your Macintosh using a simple Apple remote control. This Front Row 1.2.1 (5.5MB) improves compatibility with iTunes and iPhoto sharing.
iPhoto 6.0.2
iPhoto has always been the best way to easily import photos from your digital camera, organize them for fast retrieval, and then share them with family and friends. iPhoto 6.0.2 (13.7MB) resolves several minor issues with playing shared slideshows in Front Row.
Security Update 2006-001 Mac OS X 10.4.5 (PPC)
Security Update 2006-001 (12.5MB) is recommended for all users and improves the security of the following components: apache_mod_php, automount, Bom, Directory Services, iChat, IPSec, LaunchServices, LibSystem, loginwindow, OpenSSH, rsync, Safari, and Syndication.
Security Update 2006-001 Mac OS X 10.4.5 (Intel)
Security Update 2006-001 (22.5MB) is recommended for all users and improves the security of the following components: apache_mod_php, automount, Bom, Directory Services, iChat, IPSec, LaunchServices, LibSystem, loginwindow, OpenSSH, rsync, Safari, and Syndication.
Security Update 2006-001 (10.3.9 Client)
Security Update 2006-001 (25.3MB) is recommended for all users and improves the security of the following components: apache_mod_php, automount, Bom, Directory Services, IPSec, LibSystem, loginwindow, perl, Safari.
Security Update 2006-001 (10.3.9 Server)
Security Update 2006-001 (38.6MB) is recommended for all users and improves the security of the following components: apache_mod_php, automount, Bom, Directory Services, IPSec, LibSystem, loginwindow, perl, Safari.
Comments
Mail
Available for: Mac OS X v10.4.5, Mac OS X Server v10.4.5
Impact: Download Validation fails to warn about unsafe file types
Description: In Mac OS X v10.4 Tiger, when an email attachment is double-clicked in Mail, Download Validation is used to warn the user if the file type is not "safe". Certain techniques can be used to disguise the file's type so that Download Validation is bypassed. This update addresses the issue by presenting Download Validation with the entire file, providing more information for Download Validation to detect unknown or unsafe file types in attachments.
Safari, LaunchServices
Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS X v10.4.5, Mac OS X Server v10.4.5
Impact: Viewing a malicious web site may result in arbitrary code execution
Description: It is possible to construct a file which appears to be a safe file type, such as an image or movie, but is actually an application. When the "Open `safe' files after downloading" option is enabled in Safari's General preferences, visiting a malicious web site may result in the automatic download and execution of such a file. A proof-of-concept has been detected on public web sites that demonstrates the automatic execution of shell scripts. This update addresses the issue by performing additional download validation so that the user is warned (in Mac OS X v10.4.5) or the download is not automatically opened (in Mac OS X v10.3.9).
iChat
A malicious application named Leap.A that attempts to propagate using iChat has been detected. With this update for Mac OS X v10.4.5 and Mac OS X Server v10.4.5, iChat now uses Download Validation to warn of unknown or unsafe file types during file transfers.
WOHOO! They didn't take long to fix that. Still, it shouldn't of been the problem in the first place
Edit: added info about iChat
They should warn you if a image is trying to open in Terminal.... not something you would normally do.
Originally posted by ChrisG
While Safari/Mail/iChat now warns you the resulting file still looks like an image/movie/etc. Nothing is done to show you that there is code in the file. If you just mindlessly click the "Download" button (Like most people do since it seems Safari warns you about everything you download) the file doesn't get auto run but a File.jpg will still be on your Desktop which you might come to later and double click to see what the heck it is. And boom.... Terminal opens your home directory all gone... hope you had a backup.
They should warn you if a image is trying to open in Terminal.... not something you would normally do.
I agree, it comes down to the fact that these files have an associated 'Open with' doesn't match the default open with for the file type, this is what ultimately needs to be addressed.
This is requires a trivial fix too. The 3 following changes would prevent this existing security problem from appearing ever again:
1) Instead of the system identifying a file type from its extension, it should identify it by its magic number (see man file for an explanation of this).
2) An icon of a normal file should not be changeable. If the icon of an image is set to something different, the icon should be used for all icons.
3) Executable files' icons should have a little image on them to show that they're executable in the same way that aliases have a little arrow on them to show that they are aliases.
I wonder why Apple don't fix this security hole once and for all.
In this case there's no warning when the zop file gets downloaded. And no warning when it gets unzipped. And no warning when a user clicks on it.
Originally posted by boardwalk2
Strange problems with Front Row "Shared Music" after the update. Complains latest iTunes is required to see Shared Music even though iTunes is 6.0.4, the latest.
I, too, am experiencing this on both the MBP and the iMac G5.
Enough, with the patches!!
I recently converted to OSX after using everything from MS-DOS 6.0+, to Win 3.1 all the way to Win XP Professional. I was tired of the almost weekly patches. Ugh.
Originally posted by Xool
Uh oh, Software Update is hanging when installing the iTunes update. I see Force Quit in my future...
I had the same problem. Luckily I did a install and keep package. I installed the package through Installer and everything went fine. But I had the same issue with another update a couple weeks ago, so this isn't a good sign.
At least the 10.4.5 update installed with problems, I'd hate to have that stall forever halfway.
Originally posted by Eduardo
"Hi Microsoft Windows Update! Oh, it's OSX software update".
Enough, with the patches!!
I recently converted to OSX after using everything from MS-DOS 6.0+, to Win 3.1 all the way to Win XP Professional. I was tired of the almost weekly patches. Ugh.
Patches aren't released all that often, really. But so what? I'd rather be patched than vulnerable.
Originally posted by Purgatory
The update to Front Row is much appreciated. It has a few new goodies, and is much, much more responsive on my 1.83 GHz MBP. Also, it no longer crashes when my Movies folder (or any of its subfolders) contains files that QuickTime can't play, though it does when it attempts to play them.
Having the same problem with Frontrow crashing on movie files quicktime apparently can't handle. Also it says it can't access the movie trailer server.
Originally posted by dr_gonzo
3) Executable files' icons should have a little image on them to show that they're executable in the same way that aliases have a little arrow on them to show that they are aliases.
I don't understand why they don't do this. It should be trivially simple, since it can rely on the execute bit that must already be set for that file. Aliases must work the same way, using the UNIX link designation (hard links and symbolic links both appear in the Finder as Aliases). Directories are considered executable, but can be trivally ignored. Yeah. I don't get it. It would solve the problem so simply and elegantly, by just having the execute bit trump the file extension in the Finder.
http://www.unsanity.com/haxies/pa
Originally posted by DHagan4755
I, too, am experiencing this on both the MBP and the iMac G5.
As strange as the problem appeared, it got resolved even strangely this morning. Nothing changed or no other updates were applied. Makes me wonder if it has to do with date. Oh well, the problem is gone as I am able see the "Shared Music" and "Shared Movies" from Front Row.
And Front Row no longer works.
The one glitch about the machine is that the infrared remote isn't all that responsive, but now, it simply doesn't work. I know it's not the remote, because when I was forced to open Quicktime and expand a video file to its largest size possible to watch it, Front Row opened up suddenly about 15 minutes later, even though I hadn't used the remote the entire time. When I used the remote again to close Front Row, it actually worked.
But it hasn't responded since. Anyone else have this problem?
GTSC