14 DAY TRIAL // A document that describes the content of Security Update 2010-004 and the security content of Mac OS X v10.6.4 has been posted online by Apple. The update(s) in question can be downloaded and installed via the Mac OS X Software Update mechanism, from Apple Downloads, as well as from Softpedia.
As it is the case with most major system updates released by Apple for users of its Macintosh computers, a separate download dubbed “security update” is posted to the company’s Support area. This time, it marks the release of Security Update 2010-004, which delivers fixes for all the recently discovered vulnerabilities in Apple’s Leopard and Snow Leopard operating systems.
According to knowledge base article HT4188 over at Apple’s Support area, most of the fixes included in this update apply to Mac OS X v10.5.8, Mac OS X Server v10.5.8, Mac OS X v10.6 through v10.6.3, and Mac OS X Server v10.6 through v10.6.3. Since Safari 5 is included with Mac OS X 10.6.4, Apple’s latest maintenance release for Snow Leopard, the security holes Apple fixed with the browser are mentioned in a separate support document.
For Mac OS X Snow Leopard, Apple has fixed a total of 23 security issues. For example, the Mac maker reveals that, “When ‘Apply to enclosed items…’ is selected in the ‘Get Info’ window in the Finder, the ownership of the enclosed items is not changed. This may cause the enclosed files and folders to have unexpected permissions.” Apple has addressed the problem by applying the correct ownership, and credits Michi Ruepp of pianobakery.com for finding and reporting the bug.
Issues with the Flash Player plug-in are also addressed in the latest Mac security update. Apple claims that, “Multiple issues exist in the Adobe Flash Player plug-in, the most serious of which may lead to unauthorized cross-domain requests. The issues are addressed by updating the Flash Player plug-in to version 10.0.45.2,” and directs customers to Adobe’s Support / Security site for more information.
“A directory traversal issue exists in iChat's handling of inline image transfers,” another security hole is described over at Apple’s Support area. “A remote user may upload files to arbitrary locations on the filesystem of a user currently using AIM in iChat. This issue is addressed through improved handling of file paths.” The Mac maker credits none other than itself for patching this hole.
Affecting only users of Mac OS X Leopard, an issue allowing a local user to obtain system privileges is also detailed by Apple. According to the Mac maker, “NetAuthSysAgent does not require authorization for certain operations,” which may lead to the aforementioned system breach by any local user. “This issue is addressed by requiring authorization for additional operations,” Apple reveals, adding that Snow Leopard users remain unaffected by this vulnerability.
See Apple’s Support section here to get the full scoop on the content of Security Update 2010-004 / Mac OS X v10.6.4.