AT&T Tech Support 360
March 13, 2006 4:15 PM PST
Apple corrects patch trouble
- Related Stories
-
Mac OS X patch faces scrutiny
March 7, 2006 -
Apple patches serious Mac OS flaws
March 1, 2006 -
Mac OS flaw exposes Apple users
February 21, 2006 -
Bluetooth worm targets Mac OS X
February 17, 2006
Security Update 2006-002 corrects problems caused by the company's previous patch and fixes newly discovered security flaws, some of which could let an attacker run code on a computer with the same privileges as the user, the company said on its Web site.
"This Security Update includes some upgrades to our download validation mechanism and strengthens it," Bud Tribble, Apple's vice president of software technology, told CNET News.com. "We reduced the number of false positives it gives."
Earlier this month Apple released a security update for its operating system to plug 20 holes. That update added download validation to the Safari Web browser, Apple Mail client and iChat instant-messaging tool. The function warns people that a download could be malicious when they click on the link.
However, download validation has been sounding the alarm on harmless files. "Security Update 2006-001 could cause the user to be warned when provided with certain safe file types, such as Word documents, and folders containing custom icons," Apple said in its security alert. The new update fixes that problem, the company said.
Additionally, Apple's previous update didn't entirely fix the problem. Malicious files could still run without any user action, Apple said. "This update provides additional checks to identify variations of the malicious file types addressed in Security Update 2006-001 so that they are not automatically opened," according to the alert.
The earlier patch also introduced errors with the PHP scripted programming language and "rsync" file transfer utility, Apple said. The PHP issue may prevent SquirrelMail from running and the rsync "--delete" command may not work, the company said. That is now corrected.
The new security update also fixes a pair of newly discovered flaws. One bug is a buffer overflow error in Apple Mail that could be triggered by enticing a user to double click on an e-mail attachment, Apple said. The bug could let an attacker run code in the context of the user, the company said.
The second flaw is related to how Mac OS X handles documents that contain JavaScript. An attacker could craft a file and host it on a remote Web site that would bypass certain access restrictions on a Mac when opened, according to Apple's advisory.
Security-monitoring company Secunia rates Apple's new fix "extremely critical," its highest-risk rating that's not often awarded.
While Apple urges its users to install the patches, there is no immediate risk of attack, Tribble said. "None of these issues are things where there are exploits in the wild," he said. "In a way you can say these are pre-emptive fixes to prevent problems from arising."
The new patch comes after weeks of scrutiny of the safety of OS X, prompted by the discovery of two worms and the disclosure of a serious vulnerability. Security experts also were questioning the effectiveness of Apple's latest patch, suggesting the company should add protection at a deeper level in the system.
Security Update 2006-002 can be downloaded and installed via the Software Update feature in Mac OS X or from Apple Downloads.
See more CNET content tagged:
Apple Computer,
Apple Mac OS X,
patch,
attacker,
Apple Mac OS
Updates.
Most software companies hardly get past stage one.
Look, you can **** in a glass and call it Champaign while you toast one another on their wonderful deeds, but at the end of the day it was a total screw-up, both the original problem and the first fix. You same dumb idiots go off on MS when they pull this type of crap, so lets start believing that one set of standards is enough
never applied to my OS X installation anyway. Squirrel Mail?
Please. I don't even use Mail mail. And, as the Apple spokesman
said (it should have been at the beginning of the article, not the
bottom) there was nothing exploitable.
Why the weird Wintel types want Mac users to be unhappy with our
systems is beyond me.
http://badmash.tv/movies.php?v=bat
Why say it yourself when some one else said it better?
for many OSX users. I've seen reports from missing desktop icons,
to unusable hyperlinks in mail and applications, to complete
system meltdowns.
Some security patch. I wonder if Apple's quality control is slipping.
when other companies charge you for fixes that do not really work.
But then again, crap is a crap, free or not. Just choose the lesser
evil.
-
by lsawell
July 14, 2008 4:57 PM PDT
- 27 hours ago I downloaded the latest Apple patch/update on my Power Mac G4. It went thru the process and went into restart mode. 30 hours later it's still on the grey page with the black apple siloette and the little thinking wheel is still going around and around. What's up with that? all attempts to recover have failed. The little wheel just keeps on spinning. Is it the eprom battery or a shot drive or what? Does anybody know how to recover from this problem?
-
Reply to this comment
-
-
See all 23 Comments >>