RealTime IT News

Latest Apple Update Includes Safari

Apple users, it's time to update your systems again.

Apple has released Security Update 2006-003, which addresses some 25 different vulnerabilities, including at least one in its Safari Web browser.

The new Apple update includes a fix for CVE-2006-1457, which also addresses an issue related to downloading files. According to Apple, the flaw could potentially be exploited " when Safari's "Open 'safe' files after downloading" option is enabled" and archives are automatically expanded.

"If the archive contains a symbolic link, the target symlink may be moved to the user's desktop and launched."

A flaw in Apple's CFNetwork, which is a framework providing a library of abstractions for network protocols, could potentially lead to arbitrary code execution as well.

CFNetwork is utilized by Safari as well as other Apple applications.

Safari has been the subject of numerous security-related updates this year already.

The most notorious update was the zero-day exploit that could potentially allow a dangerous file to unsuspectingly end up on a user's desktop.

That flaw was followed by an update, and then another update to an update to finally lock down.

The Finder function also had a potentially exploitable flaw that could also have led to arbitrary code execution by simply launching an Internet Location item. An attacker could have tricked a user into launching an item by hiding an item in the Internet Location container that a user might not have expected.

A flaw in how Apple's ImageIO handles JPEG images could also have potentially enabled an attacker to execute arbitrary code.

The flaw to Apple's description involves an "an integer overflow in the processing of JPEG metadata that may result in a heap buffer overflow." An attacker that crafts an image with malformed JPEG metadata could trigger the arbitrary code execution as soon as the user views the maliciously created image.

Microsoft Windows users have seen such JPEG metadata flaws in the past, which for the most part have not affected Apple users.

Other flaws addressed by Security Update 2006-003 include AppKit, BOM, CoreFoundation, CoreGraphics, Keychain, Mail and QuickDraw.

Security firm Secunia rated the aggregate of all the vulnerabilities in the update as being "highly critical."