March hasn’t been a particularly good month for Apple from a security standpoint. Mac users are now being treated to their second patch
update in fewer than two weeks, and according to one security research firm, there are still unresolved issues.
Apple Security Update 2006-002 fixes a number of issues not fixed in update 2006-001 issued at the beginning of March.
One issue was a fix for a zero-day exploit
that left Safari users at risk from malicious sites that could have
automatically downloaded arbitrary code onto a Mac.
The 2006-002 update, according to Apple’s advisory, “provides additional
checks to identify variations of the malicious file types addressed in
Security Update 2006-001 so that they are not automatically opened.”
The new update also fixes a download validation issue introduced in the
2006-001 update.
Apparently a user could have been erroneously warned about
safe file types that had custom icons. Such false positives could have been
reported for safe Word documents among others.
Rsync and apache_mod_php are also fixed in the release from the 2006-001
update versions due to regression issues that created some functionality
issues.
The 2006-002 update includes fixes for new issues, as well. A fix for CVE-ID:
CVE-2006-0396 corrects an issue that could have allowed a maliciously
crafted Mail attachment to trigger a buffer overflow.
An included fix for CVE-ID: CVE-2006-0400 addresses an issue that could have
enabled a malicious remote Web site to bypass the same-origin policy, which is
supposed to restrict JavaScript data access.
The aggregate criticality of the vulnerabilities disclosed in Apple’s
2006-002 update, according to security firm Secunia, is “highly critical.”
The update also does not apparently patch all outstanding publicly reported
issues that Apple has, either. Security firm eEye has claimed
that iTunes and QuickTime are at risk from a pair of as yet unpatched
vulnerabilities.
“As far as we know, this update does not address our issues,” Steve Manzuik,
eEye security product manager, told internetnews.com.