Apple Fixes Critical Safari Bug, 16 Other Flaws

The update, dubbed Security Update 2006-001, comes just over a week after news broke of a critical flaw in the operating system and the Safari Web browser, leading to intense defense of Mac security by Apple users.

The Safari vulnerability could let attackers hijack a Mac simply by enticing its user to a malicious Web site in a so-called "drive-by download" that's a common menace to Windows users but unheard of in the Mac world.

The problem stemmed from Safari's (and Mac OS X's) trust of certain file types, specifically ZIP archives. Attackers could pack a ZIP with malicious scripts that the Mac would automatically run, the German firm Heise Security said last week.

"This update addresses the issue by performing additional download validation so that the user is warned (in Mac OS X v10.4.5) or the download is not automatically opened (in Mac OS X v10.3.9)," Apple's alert read.

id
unit-1659132512259
type
Sponsored post

The speed with which Apple patched the vulnerability may impress Windows users -- who are used to waiting weeks if not months for fixes from Microsoft -- but it's not unusual, said Mike Murray, director of research at vulnerability management vendor nCircle.

"There are a couple of reasons why Apple could patch this so quickly," said Murray. "First of all, Safari's based on open-source code, and that code is pretty well understood. Second, the vulnerability didn't seem that complex.

The biggest factor in Apple's quick turnaround, however, has nothing to do with the Safari code or the bug.

"Internet Explorer is tied into the core of the [Windows] operating system," Murray said. "If you change IE, something could break on the OS. The QA cycle has to be much longer, since one little change could break the whole damn thing.

"But Safari is a stand-alone browser, like Firefox. If a patch introduces a bug in Safari, big deal. It's not affecting the [Mac] OS."

That's the reason why Apple could put together a patch within a week, and why, Murray added, Firefox developers can do the same when vulnerabilities are found in that cross-platform browser.

"Microsoft's strategy of tying the browser into the operating system has made it so much more difficult to patch," Murray added.

Apple's e-mail client has also been patched so that it will warn the user when a malicious attachment may be trying to disguise itself as a "safe" file type.

Safari accounted for 4 of the 17 fixes, including one in its RSS implementation. All four were serious -- judged "critical" by Danish vulnerability tracker Secunia -- since they allowed for remote code or script execution.

The update also fixes iChat, Apple's instant messaging client, so IM threats such as the recent OSX/Leap.a worm could be blocked. Leap.a was the first-ever Mac OS X worm.

"With this update, iChat now uses Download Validation to warn of unknown or unsafe file types during file transfers," Apple said in the alert.

Other patches in the update fixed a problem with the PHP programming language within the Apache server module, solved two issues in Apple's Directory Services, corrected a potential problem mounting malicious network servers, and quashed bugs in FileVault and IPSec within virtual private network (VPN) sessions.

Although the new Intel-based Macs have been issued an operating system update since they debuted in January -- from 10.4.4 to the current 10.4.5 -- this was the first security fix released for those machines.

Separate downloads are available on Apple's download site for Mac OS X 10.3.9 (Panther) clients and servers, as well as Mac OS X 10.4.5 (Tiger) Intel and PowerPC editions. Mac users who have Software Update enabled will automatically receive the update.