Apple Plugs Mac OS X Worm HoleBy Ryan Naraine | Print
Re-Imagining Linux Platforms to Meet the Needs of Cloud Service Providers
Apple's first security update for 2006 comes with patches for several Safari browser bugs and an iChat vulnerability that caused the spread of the first Mac OS X worm.
With the security of its flagship Mac OS X operating system facing intense scrutiny, Apple Computer on March 1 released a software update with patches for more than a dozen security vulnerabilities.
The first security update from Apple for 2006 comes less than a week after the release of exploit code for Safari browser flaw and the discovery of two worms affecting Mac OS X users.
In all, five Safari issues were addressed, including an "extremely critical" flaw that could cause remote code execution attacks if a user simply viewed a maliciously rigged Web page.
A separate buffer overflow in the way the WebKit application framework handles certain HTML could allow a maliciously crafted Web page to cause a crash or execute arbitrary code as the user viewing the site.
Apple also acknowledged that Safari's security model prevents remote resources from causing redirection to local resources. "An issue involving HTTP redirection can cause the browser to access a local file, bypassing certain restrictions," the company said in the alert.
The iChat application was also patched to block the spread of the Leap.A IM worm that was discovered on the Mac OS X platform last week.
"With this update for Mac OS X v10.4.5 and Mac OS X Server v10.4.5, iChat now uses Download Validation to warn of unknown or unsafe file types during file transfers," Apple said.
The update also fixes flaws in Mail, apache_mod_php, automount, Bom, Directory Services, IPSec, LaunchServices, LibSystem, loginwindow and rsync.
The update is shipped automatically to all Mac users through Apple's Software Update service.
Separate downloads are available on Apple's Download site for Mac OS X v10.3.9 (client and server) versions and Mac OS X v10.4.5 (Tiger) Intel and PowerPC versions.
Check out eWEEK.com's for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzer's Weblog.