Apple fixes serious OS X flaws

Joris Evers CNET News.com

Published: 02 Mar 2006 08:50 GMT

Apple on Wednesday released a security update for Mac OS X that fixes 20 vulnerabilities, including a high-profile Web browser and Mail flaw disclosed last week.

The set of patches addresses a variety of security flaws, including several that could let an attacker gain control over a computer running OS X. The patch arrives after two weeks of intense scrutiny for OS X safety, prompted by the discovery of two worms and the disclosure of two security flaws in that period.

The Apple security update addresses those flaws, which affect the Safari Web browser and Apple Mail client. The vulnerabilities expose Mac users to risks that are more familiar to Windows owners: the installation of malicious code through a bad Web site or email because of improper validation of downloads.

The update also changes iChat, Apple's instant messaging application, to thwart instant message threats such as the Leap.A pest, which was detected recently and attacked some Apple users.

"iChat now uses Download Validation to warn of unknown or unsafe file types during file transfers," Apple said.

Aside from the previously disclosed vulnerability in Safari, the Apple patch fixes four additional security bugs. These could result in code being executed on the user's machine after viewing a malicious Web site or allow JavaScript to execute in the local domain, Apple said in its update.

Other flaws fixed in the update include four issues related to the PHP scripted programming language, two problems related to Apple's Directory Services, a problem with mounting of file servers and a bug in FileVault secure storage, which was found to be insecure in the way a FileVault image is created.

Security Update 2006-001, can be downloaded and installed via the Software Update feature in Mac OS X or from Apple Downloads.

"Apple advises Mac OS X users to keep their system current by installing this and all Mac OS X software updates," Apple said.