Security Update 2006-001 is out, and as I write this, Software Update is downloading and installing it, as well as an update to iTunes (bringing it to version 6.0.4) and iPhoto (to 6.0.2).
The full lowdown on the contents of Security Update 2006-001 can be found in this knowledge base article, and it includes the Safari and LaunchServices fixes that we have been hoping for ever since the announcement of the gaping hole about two weeks ago. Safari performs additional download validation and displays a warning message, as does Mail, which was also reported to be vulnerable. iChat also incorporates download validation to prevent the spread of viruses like the Leap.A virus, whose existence was also recently published.
The security update does include other fixes – to apache_mod_php, automount, BOM, Directory Services, FileVault, IPSec, LibSystem, rsync and Syndication. Another couple of holes in Safari are also patched.
The iTunes and iPhoto updates relate to Front Row sharing issues.
So the question now is: two weeks – was that a reasonable turnaround time, or far too slow? Share your thoughts in the comments.
Update: Having now rebooted, I can confirm that the update has fixed the issue detailed in the Secunia advisory. Clicking on the link will download the file, but this time, the “This file may contain an application” prompt is displayed. One issue does remain – in the Finder, that proof-of-concept file still retains its QuickTime movie icon – it remains to be seen whether Apple will decide to do anything about this, likely a more complicated problem.