Apple computer on Wednesday 3/2/2006 patched 20 security holes ranging from denial-of-service to very serious code execution flaws. Apple's security update 2006-001 fixes the following issues in OS X 10.3.9 to 10.4.5:
- Multiple PHP 4.4 issues in apache_mod_php.
- OS X File server DoS or arbitrary code execution with automount.
- Directory traversal issue in BOM, a framework that handles certain archive files.
- Directory services issue where local users can modify files as root.
- FileVault issue that allows files to be accessed when FileVault images are created.
- IPSec denial of service flaw.
- Arbitrary code execution flaw in LibSystem. (OS 10.4.5 only)
- Mail fails to validate certain disguised files which are unsafe. (OS 10.4.5 only)
- Perl continues to run as root even when privileges are suppose to drop. (OS 10.3.9 only)
- Rsync flaw that can lead to a crash or arbitrary code execution. (OS 10.4.5 only)
- Three serious arbitrary code execution flaws in Safari.
- Safari can access local files that shouldn't be accessible.
- Safari and LaunchServices can launch arbitrary code when viewing malicious websites. This fix patches the critical zero-day exploit released last month.
- RSS syndication flaw that may lead to cross-site scripting. (OS 10.4.5 only)
Apple's update also included two enhancements that tighten security. The first is an improvement in FileVault that gives it more restrictive OS privileges. The second adds additional warnings to iChat to warn users about unsafe files like the Leap.A worm.