14 DAY TRIAL // Apple has released a Security Update (2006-001) which fixes the file cross-dressing issues that were used in some of the proof of concept worms which stirred the media recently. The update also fixes the issue of automatically opening safe files that were in fact scripts or other types of files disguised as images. In addition to Mail and Safari, which have had the scanning procedure update, iChat now also performs the same scan to determine if files are trustworthy.
In addition to these, there are many other security issues addressed. The update is recommended for all users (Mac OS X 10.3.9, Mac OS X 10.4.5) and can be downloaded via Software Update.
The full list of all the components addressed: ■ apache_mod_php ■ automount ■ Bom ■ Directory Services ■ iChat: A malicious application named Leap.A that attempts to propagate using iChat has been detected. With this update for Mac OS X v10.4.5 and Mac OS X Server v10.4.5, iChat now uses Download Validation to warn of unknown or unsafe file types during file transfers. ■ IPSec ■ LaunchServices ■ LibSystem ■ loginwindow ■ Mail: In Mac OS X v10.4 Tiger, when an email attachment is double-clicked in Mail, Download Validation is used to warn the user if the file type is not "safe". Certain techniques can be used to disguise the file's type so that Download Validation is bypassed. This update addresses the issue by presenting Download Validation with the entire file, providing more information for Download Validation to detect unknown or unsafe file types in attachments. ■ rsync ■ Safari: It is possible to construct a file which appears to be a safe file type, such as an image or movie, but is actually an application. When the "Open `safe' files after downloading" option is enabled in Safari's General preferences, visiting a malicious web site may result in the automatic download and execution of such a file. A proof-of-concept has been detected on public web sites that demonstrates the automatic execution of shell scripts. This update addresses the issue by performing additional download validation so that the user is warned (in Mac OS X v10.4.5) or the download is not automatically opened (in Mac OS X v10.3.9). (More fixes in linked article below.) ■ Safari, LaunchServices: Impact: Viewing a malicious web site may result in arbitrary code execution. Description: It is possible to construct a file which appears to be a safe file type, such as an image or movie, but is actually an application. When the "Open `safe' files after downloading" option is enabled in Safari's General preferences, visiting a malicious web site may result in the automatic download and execution of such a file. A proof-of-concept has been detected on public web sites that demonstrates the automatic execution of shell scripts. This update addresses the issue by performing additional download validation so that the user is warned (in Mac OS X v10.4.5) or the download is not automatically opened (in Mac OS X v10.3.9). ■ Syndication