Fresh Apple Patches

Published: 2006-03-02
Last Updated: 2006-03-02 18:27:17 UTC
by Swa Frantzen (Version: 2)
0 comment(s)

Apple released a security update called "2006-001".  It is claiming to update following components:

Also described in the release notes are:

For detailed information on this update, we'll refer you to apple's article 303382.

This update is very critical to install on your Mac OS X machines:

  • safari gets fixes for 4 separate issues: one of them with the public PoC; 3 of them result in arbitrary code execution and one looks like it allows javascript access to local resources.
    At this point it's unclear how effective the patch against the PoC is. To quote Apple: "This update addresses the issue by performing additional download validation so that the user is warned (in Mac OS X v10.4.5) or the download is not automatically opened (in Mac OS X v10.3.9)". We know from experience that warning users is hardly enough in real life. Still it's better than nothing.
  • ichat, mail get file type protection warnings in an effort to help twarth the worm threat (as exposed by the PoC virus Leap.A)
  • The Directory services vulnerability already has an exploit publicly available allowing local privilege escalation.
  • many more ... but you get those fixes for free anyway

On the not so good side: (before I get every Apple fan on my case: I love my powerbook, but it does not mean Apple should not clean up their act a bit)

  • Nice to get an update to PHP 4.4.1, but do note that a quick visit to learns that it released PHP 4.4.1 on October 31st, 2005. That's 4 months!  Add to that that PHP 4.4.2 has been released on January 13th, 2006.  For a open source package this isn't cutting it I'm afraid. Apple really needs to speed up it's testing and dramatically reduce the window of exposure (even if it's not enabled by default).
  • Apple references article 108009 but it's putting all responsability with the end user. Can't we please have it promote using things like anti-virus and other malware preventing software? Sure users should not accept everything and click on anything. But the windows world has proven this approach doesn't work well enough once the OS gets targeted by malware.

UPDATED to include CVE numbers (many are still not public, but that will most likely change soon)

Swa Frantzen

0 comment(s)


Diary Archives