Apple Patches Again

Share it on Twitter  
Share it on Facebook  
Share it on Google+
Share it on Linked in  

March hasn't been a particularly good month for Apple from a security standpoint. Mac users are now being treated to their second patch update in fewer than two weeks, and according to one security research firm, there are still unresolved issues.

Apple Security Update 2006-002 fixes a number of issues not fixed in update 2006-001 issued at the beginning of March.

One issue was a fix for a zero-day exploit that left Safari users at risk from malicious sites that could have automatically downloaded arbitrary code onto a Mac.

The 2006-002 update, according to Apple's advisory, "provides additional checks to identify variations of the malicious file types addressed in Security Update 2006-001 so that they are not automatically opened."

The new update also fixes a download validation issue introduced in the 2006-001 update.

Apparently a user could have been erroneously warned about safe file types that had custom icons. Such false positives could have been reported for safe Word documents among others.

Rsync and apache_mod_php are also fixed in the release from the 2006-001 update versions due to regression issues that created some functionality issues.

The 2006-002 update includes fixes for new issues, as well. A fix for CVE-ID: CVE-2006-0396 corrects an issue that could have allowed a maliciously crafted Mail attachment to trigger a buffer overflow.

An included fix for CVE-ID: CVE-2006-0400 addresses an issue that could have enabled a malicious remote Web site to bypass the same-origin policy, which is supposed to restrict JavaScript data access.

The aggregate criticality of the vulnerabilities disclosed in Apple's 2006-002 update, according to security firm Secunia, is "highly critical."

This article was first published on InternetNews.com. To read the full article, click here.

Submit a Comment

Loading Comments...