Apple on Wednesday released a security update for Mac OS X that fixes 20 vulnerabilities, including a high-profile Web browser and Mail flaw disclosed last week.
The set of patches addresses a variety of security flaws, including several that could let an attacker gain control over a computer running OS X. The patch arrives after two weeks of intense scrutiny for OS X safety, prompted by the discovery of two worms and the disclosure of two security flaws in that period.
The Apple security update addresses those flaws, which affect the Safari Web browser and Apple Mail client. The vulnerabilities expose Mac users to risks that are more familiar to Windows owners: the installation of malicious code through a bad Web site or email because of improper validation of downloads.
The update also changes iChat, Apple's instant messaging application, to thwart instant message threats such as the Leap.A pest, which was detected recently and attacked some Apple users.
"iChat now uses Download Validation to warn of unknown or unsafe file types during file transfers," Apple said.
Aside from the previously disclosed vulnerability in Safari, the Apple patch fixes four additional security bugs. These could result in code being executed on the user's machine after viewing a malicious Web site or allow JavaScript to execute in the local domain, Apple said in its update.
Other flaws fixed in the update include four issues related to the PHP scripted programming language, two problems related to Apple's Directory Services, a problem with mounting of file servers and a bug in FileVault secure storage, which was found to be insecure in the way a FileVault image is created.
Security Update 2006-001, can be downloaded and installed via the Software Update feature in Mac OS X or from Apple Downloads.
"Apple advises Mac OS X users to keep their system current by installing this and all Mac OS X software updates," Apple said.
Talkback
After installing this update, restarting, launching Safari and navigating back to this article I see that the font used to display the article is now a mathematical font... rendering the article unreadable.
I don't have time right now to investigate the matter as extensively as I would like, but wanted to post this in case the same situation happens to someone else as a form of sanity test. I hope it's just an isolated incident.
The update does not fix the whole problem, only the auto-execution part (which is obviously the worst) of the weakness demonstrated here:
<http://www.heise.de/english/newsticker/news/69862>
When users download the sample file and locate it in the Finder, then it still looks like a jpeg unless you happen to check the type in list view or the info panel.
So once you double-click the "jpeg" to open it, actually Terminal will open and execute the sample script. Not good for the average user. Even experienced users do not always explicitly check the type of a file.
OS X should warn after unzipping the archive and on double-clicking the "jpeg".
This is why you guys need to start using windows!