About | ACP | Buy | Forum | Industry Watch | Learning Curve | Search | Twitter | Xnews
Home » Industry Watch

OS X Security Update 2006-003

Apple pull out all the stops.


Credit where credit's due: this is a massive security update; a cursory look through the documentation reveals one phrase recurring more than any: 'arbitrary code execution'. Apple have taken most of the recent advisories and put them together in one huge fix.

This is something you want to get now.

http://docs.info.apple.com/article.html?artnum=303737

AppKitCharacters entered into a secure text field can be read by other applications in the same window session.
AppKit, ImageIOViewing a maliciously-crafted GIF or TIFF image may lead to arbitrary code execution.
BOMExpanding an archive may lead to arbitrary code execution.
BOMExpanding a malicious archive may cause arbitrary files to be created or overwritten.
CFNetworkVisiting malicious web sites may lead to arbitrary code execution.
ClamAVProcessing maliciously crafted email messages with ClamAV may lead to arbitrary code execution.
CoreFoundationRegistration of an untrusted bundle may lead to arbitrary code execution.
CoreFoundationString conversions to file system representation may lead to arbitrary code execution.
CoreGraphicsCharacters entered into a secure text field can be read by other applications in the same window session.
FinderLaunching an Internet location item may lead to arbitrary code execution.
FTPServerFTP operations by authenticated FTP users may lead to arbitrary code execution.
Flash PlayerPlaying Flash content may lead to arbitrary code execution.
ImageIOViewing a maliciously crafted JPEG image may lead to arbitrary code execution.
KeychainAn application may be able to use Keychain items when the Keychain is locked.
LaunchServicesViewing a malicious web site may lead to arbitrary code execution.
libcurlURL handling in libcurl may lead to arbitrary code execution.
MailViewing a malicious mail message may lead to arbitrary code execution. (Two fixes.)
MySQL ManagerMySQL database may be accessed with an empty password.
PreviewNavigating a maliciously crafted directory hierarchy may lead to arbitrary code execution.
QuickDrawViewing a maliciously crafted PICT image may lead to arbitrary code execution.
QuickTime Streaming ServerA malformed QuickTime movie can cause QuickTime Streaming Server to crash.
QuickTime Streaming ServerMaliciously crafted RTSP requests may lead to crashes or arbitrary code execution.
RubyRuby safe level restrictions may be bypassed.
SafariVisiting malicious web sites may lead to file manipulation or arbitrary code execution.

Good work, Apple.

About | ACP | Buy | Forum | Industry Watch | Learning Curve | Search | Twitter | Xnews
Copyright © Rixstep. All rights reserved.