No single major security threat has emerged recently, so I've decided this week to concentrate on a hodgepodge of various important threats. While all of these threats are equally significant, there's no real underlying thread to unify them all. Nevertheless, these vulnerabilities are important to someone, so I'm using a different format this week to address all of the threats equally.
Apple update
Apple has released the Mac OS X 10.4.1 Update, part of which confirms the existence of a file disclosure vulnerability in the Bluetooth implementation of Mac OS X 10.4. A pair of file access vulnerabilities has also surfaced, but they're less critical because they only expose files locally. In addition, the update addresses a Dashboard widget vulnerability in Mac OS X 10.4, which can allow a malicious site to download Dashboard widgets without warning.
Browser woes
Netscape has apparently found the perfect way to combat Internet Explorer. According to reports, the recently released version 8 of the browser appears to break XML rendering if you try to run IE. Some people say this is unimportant; however, they apparently don't know about RSS.
In addition, a report on Angelfire points out that Netscape 8 relies on some IE code to render trusted pages — now that's taking an independent stand!
The same report includes a note that the author tried to run Netscape 8 on an old Windows version without IE installed, and Netscape won't work. So, that apparently means that Netscape is dependent on IE and therefore is likely vulnerable to Internet Explorer bugs, as well as Firefox and Mozilla bugs it hasn't yet patched (it's always a generation behind Mozilla and Firefox)! Can you say the worst of both worlds?
Also, users who rushed to download Netscape 8 (someone out there must have) need to download version 8.0.1 — released one day later — to fix the already known holes in Firefox 1.0.3, which served as the basis for Netscape 8. The moral here is that if you want to have the latest patches, you should probably stick to Firefox. And all of this comes out after AOL/Netscape bombarded users with ads about how secure the new Netscape version was going to be.
