Sidebar Sidebar
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

Security Update 2006-001 & itunes 6.0.4 and iPhoto 6.0.2

Status
Not open for further replies.
swiftaw

swiftaw

macrumors 603
Original poster
Jan 31, 2005
6,328
25
Omaha, NE, USA
Just ran software update and found those 3 things ready to install.

Unfortunately the security update requires a reboot so there goes people's uptime.
 
Don't you mean iTunes 6.0.4? I didn't need to reboot either...

EDIT:

Oh, you ran security update thats why you needed to reboot.
 
mmmm Safari security fixes

apple said:
Safari

CVE-ID: CVE-2006-0390/CVE-2005-4504

Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS X v10.4.5, Mac OS X Server v10.4.5

Impact: Viewing a maliciously-crafted web page may result in arbitrary code execution

Description: A heap-based buffer overflow in WebKit's handling of certain HTML could allow a malicious web site to cause a crash or execute arbitrary code as the user viewing the site. This update addresses the issue by preventing the condition causing the overflow. Credit to Suresec LTD for reporting this issue.

Safari

CVE-ID: CVE-2006-0387

Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS X v10.4.5, Mac OS X Server v10.4.5

Impact: Viewing a malicious web page may cause arbitrary code execution

Description: By preparing a web page including specially-crafted JavaScript, an attacker may trigger a stack buffer overflow that could lead to arbitrary code execution with the privileges of the user. This update addresses the issue by performing additional bounds checking.

Safari

CVE-ID: CVE-2006-0388

Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS X v10.4.5, Mac OS X Server v10.4.5

Impact: Remote web sites can redirect to local resources, allowing JavaScript to execute in the local domain

Description: Safari's security model prevents remote resources from causing redirection to local resources. An issue involving HTTP redirection can cause the browser to access a local file, bypassing certain restrictions. This update addresses the issue by preventing cross-domain HTTP redirects.

Safari, LaunchServices

CVE-ID: CVE-2006-0394

Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS X v10.4.5, Mac OS X Server v10.4.5

Impact: Viewing a malicious web site may result in arbitrary code execution

Description: It is possible to construct a file which appears to be a safe file type, such as an image or movie, but is actually an application. When the "Open `safe' files after downloading" option is enabled in Safari's General preferences, visiting a malicious web site may result in the automatic download and execution of such a file. A proof-of-concept has been detected on public web sites that demonstrates the automatic execution of shell scripts. This update addresses the issue by performing additional download validation so that the user is warned (in Mac OS X v10.4.5) or the download is not automatically opened (in Mac OS X v10.3.9).
Click to expand...

iChat fixed too

apple said:
iChat. A malicious application named Leap.A that attempts to propagate using iChat has been detected. With this update for Mac OS X v10.4.5 and Mac OS X Server v10.4.5, iChat now uses Download Validation to warn of unknown or unsafe file types during file transfers.
Click to expand...
 
They fixed the disguised file problem... after what, a week, two weeks?
Never seen MS do something like this this fast.
We are now officially virus free again :p
 
Well, it's a lot easier to fix the problems they had, then MS's problems are. Microsoft's virus tend to be because the application affected is inherently flawed. Appe's problems were only because someone found a loophole in the way the program properly executed. So while Microsoft has to rip apart the code of an application, all Apple has to do is add a couple lines to handle a specific subset of things from occring.
 
stoid said:
Well, it's a lot easier to fix the problems they had, then MS's problems are. Microsoft's virus tend to be because the application affected is inherently flawed. Appe's problems were only because someone found a loophole in the way the program properly executed. So while Microsoft has to rip apart the code of an application, all Apple has to do is add a couple lines to handle a specific subset of things from occring.
Click to expand...

Still, who's the one at fault? It's not a fair comparison just because MS' code base sucks? :rolleyes:
 
Diatribe said:
Still, who's the one at fault? It's not a fair comparison just because MS' code base sucks? :rolleyes:
Click to expand...

I'm not suggesting that Microsoft hasn't dug their own grave when it comes to fixing flaws, I'm just explaining that Apple didn't have to work as hard as Microsoft would have to.
 
stoid said:
I'm not suggesting that Microsoft hasn't dug their own grave when it comes to fixing flaws, I'm just explaining that Apple didn't have to work as hard as Microsoft would have to.
Click to expand...

I agree with you, I am just saying that suggesting, as some people are, that OS X is no more secure than Windows maybe one factor, although I'd still argue that, but at least our vulnerabilities only last a week or two.
 
swiftaw said:
Just ran software update and found those 3 things ready to install.

Unfortunately the security update requires a reboot so there goes people's uptime.
Click to expand...


Thanks. Time to get rebooting.
 
Is the security update only available for OSX 10.4.5?

I'm running OSX 10.4.4 and don't see it listed... Will upgrade to 10.4.5 (or probably 10.4.8 by then :D) in a couple of weeks, just before I go home from Uni for easter. I can't afford to be without my Mac up here at the minute, and don't have my installer DVD's with me, so if things go pear-shaped, I can't reinstall quickly....
 
thomasp said:
Is the security update only available for OSX 10.4.5?

I'm running OSX 10.4.4 and don't see it listed... Will upgrade to 10.4.5 (or probably 10.4.8 by then :D) in a couple of weeks, just before I go home from Uni for easter. I can't afford to be without my Mac up here at the minute, and don't have my installer DVD's with me, so if things go pear-shaped, I can't reinstall quickly....
Click to expand...
That's the beauty of an external drive and SuperDuper! or CCC. If something does go wrong just clone back the other way and you're done! Plus, if you have another Mac at home, just take your external drive with you at Easter and keep on computing.
 
thomasp said:
Is the security update only available for OSX 10.4.5?
Click to expand...
Yes, and 10.3.9, as stated on the Apple Security Updates page... :)

This was the actual message from Software Updater about the security update, BTW (didn't comy the one for iTunes 6.0.4 and I don't have iPhoto 6):

Security Update 2006-001 is recommended for all users and improves the security of the following components:

apache_mod_php
automount
Bom
Directory Services
iChat
IPSec
LaunchServices
LibSystem
loginwindow
Mail
rsync
Safari
Syndication

For detailed information on this Update, please visit this website: http://docs.info.apple.com/article.html?artnum=61798
Click to expand...
 
Ive been running with the new security update for about an hour, and Ive to Force Quit Safari twice now.

The first time, i was reading an email, then came back to safari, and it wouldnt respond, couldnt click on it at all. Tried to quit from the dock, but had to go to Force Quit.

The second was after watching EyeTv with safari in the background, a program break came on, I tried to go to safari, and had to Force quit it again.

Ive done all the usual, repair permissions etc. So we'll see what happens.
 
Status
Not open for further replies.
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.
Top Bottom
Back