Apple Software for the Enterprise

Rixstep
	`About \| ACP \| Buy \| Industry Watch \| Learning Curve \| News \| Search \| Test`

Home » Industry Watch

OS X Security Update 2006-003

Apple pull out all the stops.

Credit where credit's due: this is a massive security update; a cursory look through the documentation reveals one phrase recurring more than any: 'arbitrary code execution'. Apple have taken most of the recent advisories and put them together in one huge fix.

This is something you want to get now.

http://docs.info.apple.com/article.html?artnum=303737

AppKit	Characters entered into a secure text field can be read by other applications in the same window session.
AppKit, ImageIO	Viewing a maliciously-crafted GIF or TIFF image may lead to arbitrary code execution.
BOM	Expanding an archive may lead to arbitrary code execution.
BOM	Expanding a malicious archive may cause arbitrary files to be created or overwritten.
CFNetwork	Visiting malicious web sites may lead to arbitrary code execution.
ClamAV	Processing maliciously crafted email messages with ClamAV may lead to arbitrary code execution.
CoreFoundation	Registration of an untrusted bundle may lead to arbitrary code execution.
CoreFoundation	String conversions to file system representation may lead to arbitrary code execution.
CoreGraphics	Characters entered into a secure text field can be read by other applications in the same window session.
Finder	Launching an Internet location item may lead to arbitrary code execution.
FTPServer	FTP operations by authenticated FTP users may lead to arbitrary code execution.
Flash Player	Playing Flash content may lead to arbitrary code execution.
ImageIO	Viewing a maliciously crafted JPEG image may lead to arbitrary code execution.
Keychain	An application may be able to use Keychain items when the Keychain is locked.
LaunchServices	Viewing a malicious web site may lead to arbitrary code execution.
libcurl	URL handling in libcurl may lead to arbitrary code execution.
Mail	Viewing a malicious mail message may lead to arbitrary code execution. (Two fixes.)
MySQL Manager	MySQL database may be accessed with an empty password.
Preview	Navigating a maliciously crafted directory hierarchy may lead to arbitrary code execution.
QuickDraw	Viewing a maliciously crafted PICT image may lead to arbitrary code execution.
QuickTime Streaming Server	A malformed QuickTime movie can cause QuickTime Streaming Server to crash.
QuickTime Streaming Server	Maliciously crafted RTSP requests may lead to crashes or arbitrary code execution.
Ruby	Ruby safe level restrictions may be bypassed.
Safari	Visiting malicious web sites may lead to file manipulation or arbitrary code execution.

Good work, Apple.