Got a tip for us?
Let us know
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
Security Update 2006-002 is out
- Thread starter rinseout
- Start date
- Sort by reaction score
Security Update 2006-002 details for people to lazy to click a link:
CoreTypes - Remote web sites can cause JavaScript to bypass the same-origin policy
When documents containing Javascript are loaded from a remote site, data access is restricted by the same-origin policy. However, under certain situations, maliciously-crafted archives can cause these restrictions to be bypassed. This update addresses the issue by flagging these documents as unsafe.
Mail - Double-clicking an attachment in Mail may result in arbitrary code execution
By preparing a specially-crafted email message with attachments, and enticing a user to double-click on that attachment within Mail, an attacker may trigger a buffer overflow. This could result in the execution of arbitrary code with the privileges of the user running Mail. This update addresses the issue by performing additional bounds checking. This issue does not affect systems prior to Mac OS X v10.4. Credit to Kevin Finisterre of DigitalMunition for reporting this issue.
Safari, LaunchServices, CoreTypes - Viewing a malicious web site may result in arbitrary code execution
Security Update 2006-001 addressed an issue where Safari could automatically open a file which appears to be a safe file type, such as an image or movie, but is actually an application. This update provides additional checks to identify variations of the malicious file types addressed in Security Update 2006-001 so that they are not automatically opened. This issue does not affect systems prior to Mac OS X v10.4. Credit to Will Dormann of CERT/CC and Andris Baumberger for reporting several of these issues.
Download Validation
Security Update 2006-001 could cause the user to be warned when provided with certain safe file types, such as Word documents, and folders containing custom icons. These unneeded warnings are removed with this update.
apache_mod_php
A regression in PHP 4.4.1 that could prevent SquirrelMail from functioning is corrected with this update.
rsync
A regression in rsync that prevented the "--delete" command line option from functioning is corrected with this update.
CoreTypes - Remote web sites can cause JavaScript to bypass the same-origin policy
When documents containing Javascript are loaded from a remote site, data access is restricted by the same-origin policy. However, under certain situations, maliciously-crafted archives can cause these restrictions to be bypassed. This update addresses the issue by flagging these documents as unsafe.
Mail - Double-clicking an attachment in Mail may result in arbitrary code execution
By preparing a specially-crafted email message with attachments, and enticing a user to double-click on that attachment within Mail, an attacker may trigger a buffer overflow. This could result in the execution of arbitrary code with the privileges of the user running Mail. This update addresses the issue by performing additional bounds checking. This issue does not affect systems prior to Mac OS X v10.4. Credit to Kevin Finisterre of DigitalMunition for reporting this issue.
Safari, LaunchServices, CoreTypes - Viewing a malicious web site may result in arbitrary code execution
Security Update 2006-001 addressed an issue where Safari could automatically open a file which appears to be a safe file type, such as an image or movie, but is actually an application. This update provides additional checks to identify variations of the malicious file types addressed in Security Update 2006-001 so that they are not automatically opened. This issue does not affect systems prior to Mac OS X v10.4. Credit to Will Dormann of CERT/CC and Andris Baumberger for reporting several of these issues.
Download Validation
Security Update 2006-001 could cause the user to be warned when provided with certain safe file types, such as Word documents, and folders containing custom icons. These unneeded warnings are removed with this update.
apache_mod_php
A regression in PHP 4.4.1 that could prevent SquirrelMail from functioning is corrected with this update.
rsync
A regression in rsync that prevented the "--delete" command line option from functioning is corrected with this update.
Getting back menu items
Hi, my first post. Been reading the forums for a while. I thought id post as I had exactly the same problem.
Having installed the FrontRow hack, and subsequently installing this patch - my keyboard preferences would crash, and no menu items at the top right.
I followed the below instructions, after searching the forums for ideas and everything is now working perfectly:
http://voice.firefallpro.com/ 3rd post down, entitled:
Bringing back your menu bar items.
Cheers, Sam
derajfast said:
Hi, my first post. Been reading the forums for a while. I thought id post as I had exactly the same problem.
Having installed the FrontRow hack, and subsequently installing this patch - my keyboard preferences would crash, and no menu items at the top right.
I followed the below instructions, after searching the forums for ideas and everything is now working perfectly:
http://voice.firefallpro.com/ 3rd post down, entitled:
Bringing back your menu bar items.
Cheers, Sam
Wow, someone put a fire under 'em, eh? Good to see. While Apple never explicitly advertises security as a selling point, they clearly know it is one and didn't like the bad press...
Better proactive than reactive, but better reactive than inert.
Better proactive than reactive, but better reactive than inert.
jobberwacky said:
I always thought it was "Teh Snappy."
To anyone who has had problems with this update, isn't that why you clone your hard drive to an external FW drive with SuperDuper or CCC so that you can restore if something goes wrong?
I know Apple is responsible to make sure their updates don't break anything, but you have to take some responsibility for applying an update without proper backup just in case.
i'm not certain, but i believe arbitrary code execution either opens up something you aren't necessarily using, like terminal or run/install a program. again, not sure, hope someone gives a better answer!rye9 said:
i noticed myspace occasionally runs ridiculously slow with safari, and just assumed it had something to do with all the crap on everyones page.
oh... gonna download the update now, can't wait for a snappier safari, mine's seemed sluggish for a few months.
Safe as houses !!
To all those PC fools, go and play with your dull beige boxes.
Here's to the future!
To all those PC fools, go and play with your dull beige boxes.
Here's to the future!
Two reasonable possibilities:emaja said:
1. Some people feel obliged to download and install the update, which can take time and trouble. It's free, but your time may not be. If you are responsible for many Macs, such as in a business or school (or a large family!) and you update them individually, much work can be involved.
2. The fact that a security update has been issued shows there were flaws in the software being updated. This is the nature of software, but that doesn't mean people are happy about it.
You basically have it. "Arbitrary" can be taken literally here, it means that an exploit can run anything at all that it wants, benign, harmful or anything in between. It's limited only by the privileges belonging to the hapless user who stumbles across the exploit.cygni said:
Doctor Q said:
That's just foolish. Would they really rather Apple not update the software for possible security exploits?
Disconnect your computer from the internet and you won't have to be troubled with updates, or vulnerabilities at all.
Doctor Q said:
Not directed at you Doctor Q, but be serious people. Apple is not flawless (oh the blasphemy!). Apple fixed something that was bad. Patch it, or don't, but this can't possibly honestly be a bad thing.
I guess it goes to show that you really can't please everybody.
