Become a MacRumors Supporter for $25/year with no ads, private forums, and more!

Security Update 2006-001; iTunes 6.0.4; iPhoto Update 6.0.2

MacRumors

macrumors bot
Original poster
Apr 12, 2001
50,493
11,876
https://www.macrumors.com/images/macrumorsthreadlogodarkd.png

Apple has addressed the recent well-publicized security issues involving the Safari "Open safe files after downloading" feature, including changes to Mail, iChat, and the LaunchServices facility.

Now available via Software Update for qualifying systems:

Security Update 2006-001

For Mac OS X 10.3.9 and Mac OS X 10.4.5.

Recommended for all users and improves the security of the following components:

apache_mod_php
automount
Bom
Directory Services
iChat
IPSec
LaunchServices
LibSystem
loginwindow
Mail
rsync
Safari
Syndication

For detailed information on this Update, please visit this website: http://docs.info.apple.com/article.html?artnum=61798
Specific information can be found here.

Also available for direct download: Mac OS X 10.4.5 (PPC), Mac OS X 10.4.5 (Intel), Mac OS X 10.3.9, Mac OS X 10.3.9 Server.


iTunes 6.0.4

With iTunes 6, you can preview, buy, and download over 3,000 music videos and hit TV shows on the iTunes Music Store and sync your music and purchased videos with iPod to enjoy on the go. To watch purchased videos, you must have QuickTime 7.0.3 or later and Mac OS X 10.3.9 or later.

iTunes 6.0.4 addresses stability and performance issues related to Front Row.

Note: After purchasing music from the iTunes Music Store with iTunes 6 or later, you will also need to upgrade your other computers that purchase music from the iTunes Music Store to the latest version of iTunes.
Also available as a direct download.


iPhoto Update 6.0.2

iPhoto 6.0.2 resolves several minor issues with playing shared slideshows in Front Row.
Also available as a direct download.


Front Row 1.2.1

This Front Row update improves compatibility with iTunes and iPhoto sharing.
Also available for direct download.
 

russed

macrumors 68000
Jan 16, 2004
1,619
20
all is good here for me, installed and rebooted, all is good!
 

mazola

macrumors regular
Jan 6, 2004
146
0
Downloaded it, installed it, but it STILL doesn't fix my problem with the $100 iPod sock!
 

russed

macrumors 68000
Jan 16, 2004
1,619
20
Safari, LaunchServices

CVE-ID: CVE-2006-0394

Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS X v10.4.5, Mac OS X Server v10.4.5

Impact: Viewing a malicious web site may result in arbitrary code execution

Description: It is possible to construct a file which appears to be a safe file type, such as an image or movie, but is actually an application. When the "Open `safe' files after downloading" option is enabled in Safari's General preferences, visiting a malicious web site may result in the automatic download and execution of such a file. A proof-of-concept has been detected on public web sites that demonstrates the automatic execution of shell scripts. This update addresses the issue by performing additional download validation so that the user is warned (in Mac OS X v10.4.5) or the download is not automatically opened (in Mac OS X v10.3.9).




so from this i would take it has solved the evil file thing! good work apple.
 

Moof1904

macrumors 65816
May 20, 2004
1,043
44
Very long restart

It's taking quite a long time to reboot my G5. Anyone else experiencing long reboot times?
 

Doctor Q

Administrator
Staff member
Sep 19, 2002
38,328
4,751
Los Angeles
Changes in the Security Update

apache_mod_php: Multiple security issues in PHP 4.4

PHP 4.4.1 fixes several security issues in the Apache module and scripting environment. Details of the fixes are available via the PHP web site (www.php.net). PHP ships with Mac OS X but is disabled by default.

automount: Malicious network servers may cause a denial of service or arbitrary code execution

File servers on the local network may be able to cause Mac OS X systems to mount file systems with reserved names. This could cause the systems to become unresponsive, or possibly allow arbitrary code delivered from the file servers to run on the target system.

BOM: Directory traversal may occur while unpacking archives with BOM

The BOM framework handles the unpacking of certain types of archives. This framework is vulnerable to a directory traversal attack that can allow archived files to be unpacked into arbitrary locations that are writable by the current user. This update addresses the issue by properly sanitizing those paths. Credit to Stéphane Kardas of CERTA for reporting this issue.

Directory Services: Malicious local users may create and manipulate files as root

The passwd program is vulnerable to temporary file attacks. This could lead to privilege elevation. This update addresses the issue by anticipating a hostile environment and by creating temporary files securely. Credit to Ilja van Sprundel of Suresec LTD, vade79, and iDefense (idefense.com) for reporting this issue.

FileVault: FileVault may permit access to files during when it is first enabled

User directories are mounted in an unsafe fashion when a FileVault image is created. This update secures the method in which a FileVault image is created.

IPSec: Remote denial of service against VPN connections

Incorrect handling of error conditions for virtual private networks based on IPSec may allow a remote attacker to cause a service interruption. This update addresses the issues by correctly handling the conditions that may cause crashes. Credit to OUSPG from the University of Oulu, NISCC, and CERT-FI for coordinating and reporting this issue.

LibSystem: Attackers may cause crashes or arbitrary code execution depending upon the application

An attacker able to cause an application to make requests for large amounts of memory may also be able to trigger a heap buffer overflow. This could cause the targeted application to crash or execute arbitrary code. This update addresses the issue by correctly handling these memory requests. This issue does not affect systems prior to Mac OS X v10.4. Credit to Neil Archibald of Suresec LTD for reporting this issue.

Mail: Download Validation fails to warn about unsafe file types

In Mac OS X v10.4 Tiger, when an email attachment is double-clicked in Mail, Download Validation is used to warn the user if the file type is not "safe". Certain techniques can be used to disguise the file's type so that Download Validation is bypassed. This update addresses the issue by presenting Download Validation with the entire file, providing more information for Download Validation to detect unknown or unsafe file types in attachments.

perl: Perl programs may fail to drop privileges

When a perl program running as root attempts to switch to another user ID, the operation may fail without notification to the program. This may cause a program to continue to run with root privileges, assuming they have been dropped. This can cause security issues in third-party tools. This update addresses the issue by preventing such applications from continuing if the operation fails. This issue does not affect Mac OS X v10.4 or later systems. Credit to Jason Self for reporting this issue.

rsync: Authenticated users may cause an rsync server to crash or execute arbitrary code

A heap-based buffer overflow may be triggered when the rsync server is used with the flag that allows extended attributes to be transferred. It may be possible for a malicious user with access to an rsync server to cause denial of service or code execution. This update addresses the problem by ensuring that the destination buffer is large enough to hold the extended attributes. This issue does not affect systems prior to Mac OS X v10.4. Credit to Jan-Derk Bakker for reporting this issue.

Safari: Viewing a maliciously-crafted web page may result in arbitrary code execution

A heap-based buffer overflow in WebKit's handling of certain HTML could allow a malicious web site to cause a crash or execute arbitrary code as the user viewing the site. This update addresses the issue by preventing the condition causing the overflow. Credit to Suresec LTD for reporting this issue.

Safari: Viewing a malicious web page may cause arbitrary code execution

By preparing a web page including specially-crafted JavaScript, an attacker may trigger a stack buffer overflow that could lead to arbitrary code execution with the privileges of the user. This update addresses the issue by performing additional bounds checking.

Safari: Remote web sites can redirect to local resources, allowing JavaScript to execute in the local domain

Safari's security model prevents remote resources from causing redirection to local resources. An issue involving HTTP redirection can cause the browser to access a local file, bypassing certain restrictions. This update addresses the issue by preventing cross-domain HTTP redirects.

Safari, LaunchServices: Viewing a malicious web site may result in arbitrary code execution

It is possible to construct a file which appears to be a safe file type, such as an image or movie, but is actually an application. When the "Open `safe' files after downloading" option is enabled in Safari's General preferences, visiting a malicious web site may result in the automatic download and execution of such a file. A proof-of-concept has been detected on public web sites that demonstrates the automatic execution of shell scripts. This update addresses the issue by performing additional download validation so that the user is warned (in Mac OS X v10.4.5) or the download is not automatically opened (in Mac OS X v10.3.9).

Syndication: Subscriptions to malicious RSS content can lead to cross-site scripting

Syndication (Safari RSS) may allow JavaScript code embedded in feeds to run within the context of the RSS reader document, allowing malicious feeds to circumvent Safari's security model. This update addresses the issue by properly removing JavaScript code from feeds. Syndication is only available in Mac OS X v10.4 and later.


Other security enhancements

FileVault

AES-128 encrypted FileVault disk images are now created with more restrictive operating system permissions. Credit to Eric Hall of DarkArt Consulting Services for reporting this issue.

iChat

A malicious application named Leap.A that attempts to propagate using iChat has been detected. With this update for Mac OS X v10.4.5 and Mac OS X Server v10.4.5, iChat now uses Download Validation to warn of unknown or unsafe file types during file transfers.
 

shrimpdesign

macrumors 6502a
Dec 9, 2005
609
0
Mmm... new Front Row for my iMac .. this is great. I live in a dorm with a LOT of shared iTunes music ... now playing on Front Row, thanks Apple. :D
 

hyperpasta

macrumors 6502a
Aug 1, 2005
680
0
New Jersey
shrimpdesign said:
Mmm... new Front Row for my iMac .. this is great. I live in a dorm with a LOT of shared iTunes music ... now playing on Front Row, thanks Apple. :D

???

I know there's an update, but isn't it separate from this security patch?
 

supergod

macrumors 6502
Jul 14, 2004
439
0
Toronto
Front row is still unacceptably laggy on my G5. I really don't understand it: if the system was responsive then it would be really neat. But when the media centre software runs so poorly on a top end consumer computer that is only a few months old, there is something wronghitw it.
 

Moof1904

macrumors 65816
May 20, 2004
1,043
44
Reboot going on six minutes. Ack!

My G5 has been rebooting for nearly six minutes now. I have a blue screen and the spining propeller thing.

How long should I let it sit here thinking before I kick it in the groin or something?
 

dashiel

macrumors 6502a
Nov 12, 2003
876
0
what is that less than a week from apple to address the "first two OS X viruses"?

it's nice to see them fix these "viruses" in a very calm manner. they didn't treat it as an OMG the world is ending there are viruses for OS X, nor did they ignore what were effectively not-viruses. kudos. and to that george character from yesterday claiming OS X was less secure than winXP.

real world damage to OS X users = 0
real world damage to winXP users = $$$
 

Photorun

macrumors 65816
Sep 1, 2003
1,216
0
NYC
Moof1904 said:
My G5 has been rebooting for nearly six minutes now. I have a blue screen and the spining propeller thing.

How long should I let it sit here thinking before I kick it in the groin or something?

This isn't uncommon and not an immediate worry. Happens on my G5 PowerMac but not on my iBook strangely. Just be patient, subsequent boots show no lag.
 

Moof1904

macrumors 65816
May 20, 2004
1,043
44
Eleven minutes with the blue screen. Suggestions?

Should I force quit?

Thoughts?
 

Darwin

macrumors 65816
Jun 2, 2003
1,082
0
round the corner
Macnoviz said:
does this adress the "virus"-like things that came out last week?
like A-leap?

From Apple Security Update Notes:

iChat.

A malicious application named Leap.A that attempts to propagate using iChat has been detected. With this update for Mac OS X v10.4.5 and Mac OS X Server v10.4.5, iChat now uses Download Validation to warn of unknown or unsafe file types during file transfers.
 

fabsgwu

macrumors regular
May 6, 2003
229
0
Washington, DC
Reboots after updates can last a long time sometimes. If the flappy pinwheel thing is still moving you should leave it alone for a while.

If your computer froze during startup you may need to force power down. If that happens you should definitely repair permissions, and you may need to repair the system directory/catalog using a utility like Disk Warrior.
 

Moof1904

macrumors 65816
May 20, 2004
1,043
44
Hold on, Stimpy...

It's now been 15 minutes. I'm pressing the History Eraser Button and hoping for the best.

Stand by...
 
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.