Apple Misses Bugs, Offers Fix
Security Update 2006-002 corrects three problems that the earlier update missed for the Safari browser and other components, and also patches two new vulnerabilities, one in the Mail client. If not fixed, the Mail bug could give attackers a way to run their code on Macs.
The first day of this month, Apple issued a much larger update that plugged 17 security holes in the Mac OS X and bundled applications, including a zero-day vulnerability that could let attackers hijack machines using "drive-by download" tactics.
2006-002 patches drive-by download vulnerabilities that Apple missed. "This update provides additional checks to identify variations of the malicious file types addressed in Security Update 2006-001 so that they are not automatically opened," Apple said in the advisory.
Errors in the previous update's fixes for an Apache PHP script language bug and a flaw in the "rsync" file transfer utility have also been corrected, said Apple.
Of the two new vulnerabilities, the Mail bug is the most serious. It could allow attackers armed with specially-crafted messages and attachments to create a buffer overflow on a Mac, which in turn might let the hacker install other code, such as a Trojanized bot or backdoor, on the machine. End result: hijacked Mac.
The other involves how Mac OS X handles documents containing JavaScript: attackers could create a malicious file and stick it on a Web site. When opened, the document could bypass certain security restrictions.
Danish vulnerability tracker Secunia lumped the five bugs under an "extremely critical" rating, its highest.
Separate downloads are available on Apple Downloads for Mac OS X 10.3.9 (Panther) clients and servers, as well as Mac OS X 10.4.5 (Tiger) Intel and PowerPC clients. Mac users who have Software Update enabled will automatically receive the update.