Apple Fixes Critical Safari Bug, 16 Other Flaws

Apple Computer on Wednesday released its first security update of 2006 to patch 17 bugs, including a critical flaw in the Safari browser and a gaffe in iChat that was used by the first Mac OS X worm to infect Macintosh machines.

The update, dubbed Security Update 2006-001, comes just over a week after news broke of a critical flaw in the operating system and the Safari Web browser, leading to intense defense of Mac security by Apple users.

The Safari vulnerability could let attackers hijack a Mac simply by enticing its user to a malicious Web site in a so-called "drive-by download" that's a common menace to Windows users but unheard of in the Mac world.

The problem stemmed from Safari's (and Mac OS X's) trust of certain file types, specifically ZIP archives. Attackers could pack a ZIP with malicious scripts that the Mac would automatically run, the German firm Heise Security said last week.

"This update addresses the issue by performing additional download validation so that the user is warned (in Mac OS X v10.4.5) or the download is not automatically opened (in Mac OS X v10.3.9)," Apple's alert read.

The speed with which Apple patched the vulnerability may impress Windows users -- who are used to waiting weeks if not months for fixes from Microsoft -- but it's not unusual, said Mike Murray, director of research at vulnerability management vendor nCircle.

"There are a couple of reasons why Apple could patch this so quickly," said Murray. "First of all, Safari's based on open-source code, and that code is pretty well understood. Second, the vulnerability didn't seem that complex.

The biggest factor in Apple's quick turnaround, however, has nothing to do with the Safari code or the bug.

"Internet Explorer is tied into the core of the [Windows] operating system," Murray said. "If you change IE, something could break on the OS. The QA cycle has to be much longer, since one little change could break the whole damn thing.

"But Safari is a stand-alone browser, like Firefox. If a patch introduces a bug in Safari, big deal. It's not affecting the [Mac] OS."

That's the reason why Apple could put together a patch within a week, and why, Murray added, Firefox developers can do the same when vulnerabilities are found in that cross-platform browser.

"Microsoft's strategy of tying the browser into the operating system has made it so much more difficult to patch," Murray added.