Apple releases security tweak aimed at recent malware


Last evening, Apple released the first security update for 2006 (Security Update 2006-001 for Intel and PPC). Detailed information is online in About Security Update 2006-001. More details follow here, but the summary is that they have addressed a wide variety of problems, including just about every facet of the malware discussed in recent articles on this site.

For the client machines (if you're not running server, these apply to you):

  • Archives might have been unpacked into unexpected areas of the disk (you could be unpacking a "tar" file in your Desktop and have a file end up in your root directory or a configuration directory, or perhaps your personal or system Application directory)
  • Safari updated to be more rigorous about unpacking and downloading files
  • Mail updated to be more rigorous about unpacking and downloading files
  • Perl code will now drop privileges correctly
  • Arbitrary execution bugs in Javascript for Safari (web and RSS) are now fixed
  • iChat has been updated to use the same download validation as Safari when opening files being sent by other iChat users.

And for those running server, there are a few additional ones of interest:

  • apache_mod_php, updated to php 4.4.1 to resolve a variety of issues.