News
News
3/14/2006
02:12 PM
50%
50%

Apple Misses Bugs, Offers Fix

Apple is sending out its second security update for Mac OS X in as many weeks, including follow-up fixes to bugs thought to have been patched on March 1st.

Apple Computer on Monday released its second security update for Mac OS X in as many weeks, including follow-up fixes to bugs thought to have been patched on March 1.

Security Update 2006-002 corrects three problems that the earlier update missed for the Safari browser and other components, and also patches two new vulnerabilities, one in the Mail client. If not fixed, the Mail bug could give attackers a way to run their code on Macs.

The first day of this month, Apple issued a much larger update that plugged 17 security holes in the Mac OS X and bundled applications, including a zero-day vulnerability that could let attackers hijack machines using "drive-by download" tactics.

2006-002 patches drive-by download vulnerabilities that Apple missed. "This update provides additional checks to identify variations of the malicious file types addressed in Security Update 2006-001 so that they are not automatically opened," Apple said in the advisory.

Errors in the previous update's fixes for an Apache PHP script language bug and a flaw in the "rsync" file transfer utility have also been corrected, said Apple.

Of the two new vulnerabilities, the Mail bug is the most serious. It could allow attackers armed with specially-crafted messages and attachments to create a buffer overflow on a Mac, which in turn might let the hacker install other code, such as a Trojanized bot or backdoor, on the machine. End result: hijacked Mac.

The other involves how Mac OS X handles documents containing JavaScript: attackers could create a malicious file and stick it on a Web site. When opened, the document could bypass certain security restrictions.

Danish vulnerability tracker Secunia lumped the five bugs under an "extremely critical" rating, its highest.

Separate downloads are available on Apple Downloads for Mac OS X 10.3.9 (Panther) clients and servers, as well as Mac OS X 10.4.5 (Tiger) Intel and PowerPC clients. Mac users who have Software Update enabled will automatically receive the update.

Comment  | 
Print  | 
More Insights
Register for InformationWeek Newsletters
White Papers
Current Issue
InformationWeek Tech Digest, Dec. 9, 2014
Apps will make or break the tablet as a work device, but don't shortchange critical factors related to hardware, security, peripherals, and integration.
Video
Slideshows
Twitter Feed
InformationWeek Radio
Archived InformationWeek Radio
Join us for a roundup of the top stories on InformationWeek.com for the week of December 7, 2014. Be here for the show and for the incredible Friday Afternoon Conversation that runs beside the program!
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.