4 Comments

Summary:

Security Update 2006-001 is out, and as I write this, Software Update is downloading and installing it, as well as an update to iTunes (bringing it to version 6.0.4) and iPhoto (to 6.0.2). The full lowdown on the contents of Security Update 2006-001 can be found […]

Security Update 2006-001 is out, and as I write this, Software Update is downloading and installing it, as well as an update to iTunes (bringing it to version 6.0.4) and iPhoto (to 6.0.2).

The full lowdown on the contents of Security Update 2006-001 can be found in this knowledge base article, and it includes the Safari and LaunchServices fixes that we have been hoping for ever since the announcement of the gaping hole about two weeks ago. Safari performs additional download validation and displays a warning message, as does Mail, which was also reported to be vulnerable. iChat also incorporates download validation to prevent the spread of viruses like the Leap.A virus, whose existence was also recently published.

The security update does include other fixes – to apache_mod_php, automount, BOM, Directory Services, FileVault, IPSec, LibSystem, rsync and Syndication. Another couple of holes in Safari are also patched.

The iTunes and iPhoto updates relate to Front Row sharing issues.

So the question now is: two weeks – was that a reasonable turnaround time, or far too slow? Share your thoughts in the comments.

Update: Having now rebooted, I can confirm that the update has fixed the issue detailed in the Secunia advisory. Clicking on the link will download the file, but this time, the “This file may contain an application” prompt is displayed. One issue does remain – in the Finder, that proof-of-concept file still retains its QuickTime movie icon – it remains to be seen whether Apple will decide to do anything about this, likely a more complicated problem.

  1. I think it’s perfectly reasonable. This trojan thing was really blown way out of proportion. I didn’t even bother unchecking the Open “safe” files pref. Now I don’t have to.

    Share
  2. keeping in mind that we did report the ZIP/”open safe files after downloading” vulnerability straight from the German dude who discovered it, before secunia and most other news outlets picked it up :) Not that we’re the place to look at for security, but this time around, we did sorta kinda scoop it before mainstream :o :D

    Share
  3. I can confirm that the altered image/movie file no longer auto opens, but other tests I’ve done at http://www.cootey.com/temp/mactest.html still open because Safari feels they are safe (they are a GIF and a PDF file). And as you’ve pointed out this does nothing to address the false icon on malware issue. Trojans are still very much a possibility, though this is a problem on all platforms.

    I think Apple acted promptly. I had expected the fix by month’s end and technically February is a short month. There is more work to be done, of course, but overall I’m pleased. Personally, I like having Safari open up “safe” files. But I can’t imagine it is a feature that will remain the more vulnerabilities like this spring up. And honestly, I question why Safari and BOM should auto launch archived documents in the first place. This is just a problem begging to be exploited.

    ~Douglas

    Share
  4. Don’t most of us disable options like that anyway? Just because I’m downloading a PDF doens’t meant I want to look at it right now, infact usually that’s not the case.

    As Douglas said he likes it opening the safe files… but you can also just double click the file in the downloads window no?

    I would also agree with Douglas in that they will probably be disabling that default rather soon (I actually expected it in this update).

    Share

Comments have been disabled for this post