Apple fixes Safari, other exploits

Apple today released Security Update 2006-001 for both Mac OS X Panther and Mac OS X Tiger, which is recommended for all users and improves Safari by fixng four different security issues, including the 'extremely critical' Mac OS X zero-day exploit and three other exploits that could enable arbitrary code execution by a malicious user. It also fixes 13 other bugs in the following components: apache_mod_php, automount, Bom, Directory Services, iChat, IPSec, LaunchServices, LibSystem, loginwindow, Mail, rsync, and Syndication. Apple also said that its AES-128 encrypted FileVault disk images are now created with more restrictive operating system permissions and that improved iChat security by using Download Validation to warn of unknown or unsafe file types during file transfers--in part to protect against the recently reported Leap.A worm.

The update fixes multiple security issues in PHP, the popular web programming language included with the Apache webserver installation. The latest version is installed, but turned off in default installations of Mac OS X. The an automount issue that could cause the systems to become unresponsive, or possibly allow arbitrary code delivered from the file servers to run on the target system.

Apple also notes that the update more securely stores passwords: "The passwd program is vulnerable to temporary file attacks. This could lead to privilege elevation. This update addresses the issue by anticipating a hostile environment and by creating temporary files securely."

Filed under: software