updated 04:30 pm EDT, Tue May 1, 2007
Security Update bugs fixed
Apple today released a revised security update to fix a two bugs introduced with last week's update from the company, but did not address two important zero-day QuickTime flaws or a Safari flaw that was used to hack a MacBook. Security Update 2007-004 v1.1 (PPC version), for Mac OS X 10.3 Panther and for Mac OS X 10.4 Server systems, includes the contents of Security Update 2007-004 (released in mid-April) but also includes two crucial fixes for issues introduced by the update. Apple says it resolves a wake-after-sleep issue involving AirPort connections on Mac OS X 10.3.9 installed systems that was introduced in last week's security update. The latest update also fixes a newly introduced security issue that enables users with ftp access to navigate to directories outside the normal scope.
Apple notes that the Security Update 2007-004 applied an incorrect ftp configuration file for Mac OS X Server v10.4.9 systems.
"Users with ftp access, who would normally be restricted to certain directories, may be able to access directories outside the normal scope. This update addresses the issue by restoring the correct version of the ftp configuration file. This issue only affects Mac OS X Server v10.4.9 with Security Update 2007-004."
Mac OS X 10.4.9 (client) and Mac OS X Server 10.3.9 systems that have already installed Security Update 2007-004 are not affected and the Software Update utility will not display Security Update 2007-004 1.1 for these systems, the company said in its documentation.
The update, however, does not contain fixes for two older zero-day QuickTime flaws, which could allow attackers to make QuickTime stop responding or execute arbitrary code as the user. Apple also did not address the Safari flaw that allowed researchers to hack a MacBook Pro at the CanSecWest security conference.
Update: Apple on Tuesday also released QuickTime 7.1.6 to address a critical zero-day flaw in QuickTime for Java.