Apple Computer released its first security patch of 2005 this week in order to plug some holes in its Mac OS X operating system.

Security Update 2005-001 for Mac OS X addresses issues with Apple's "at" commands, library (libxml2), ColorSync, Safari and Mail programs as well as specific problems found in PHP and third-party supplied "SquirrelMail." The fixes are recommended for all Macintosh users running server and client versions of Mac OS X 10.3.7 or Mac OS X 10.2.8.

Updates for the "at" commands address what Apple calls "a local privilege escalation vulnerability." If not remedied, the problem could allow local users to remove files not owned by them, run programs with added privileges, or read the contents of normally unreadable files. The update patches the commands "at," "atrm," "batch," "atq," and "atrun."

Another critical fix addresses problems with the libxml2 library, which contains unsafe code Apple said may be exploited in applications linked against it. The flaw could potentially be exploited into buffer overflows.

Apple's update also repairs multiple known vulnerabilities in PHP , including remote denial of service and execution of arbitrary code.

Secunia Research has been credited in finding a problem in Mac OS X browser Safari. The fix is only necessary for users that do not enable the "Block Pop-Up Windows" feature. Without the patch, users can be mislead about the content of a Pop-up window if they used an untrusted link to navigate to a site.

For its Mail client, Apple has adjusted its code so that e-mail messages sent from a single machine can be identified. Previously, a GUUID (Globally Unique Universal ID) containing an identifier associated with the Ethernet networking hardware was used in the construction of an RFC-822 required Message-ID header. Apple's patch now hides the info in Mail with the help of a cryptographic hash.

Separately, a cross-site scripting vulnerability in SquirrelMail that allowed e-mail messages to contain content that would be rendered by a user's Web browser has been fixed.

Apple said the Security Update can be downloaded and installed via Software Update preferences, or from Apple Downloads.