Apple corrects patch trouble

Second Mac OS X security update in two weeks corrects problems introduced by earlier patch and fixes newly discovered flaws.

Joris Evers Staff Writer, CNET News.com
Joris Evers covers security.
Joris Evers
3 min read
Apple Computer on Monday released the second set of Mac OS X security fixes in two weeks.

Security Update 2006-002 corrects problems caused by the company's previous patch and fixes newly discovered security flaws, some of which could let an attacker run code on a computer with the same privileges as the user, the company said on its Web site.

"This Security Update includes some upgrades to our download validation mechanism and strengthens it," Bud Tribble, Apple's vice president of software technology, told CNET News.com. "We reduced the number of false positives it gives."

Earlier this month Apple released a security update for its operating system to plug 20 holes. That update added download validation to the Safari Web browser, Apple Mail client and iChat instant-messaging tool. The function warns people that a download could be malicious when they click on the link.

However, download validation has been sounding the alarm on harmless files. "Security Update 2006-001 could cause the user to be warned when provided with certain safe file types, such as Word documents, and folders containing custom icons," Apple said in its security alert. The new update fixes that problem, the company said.

Additionally, Apple's previous update didn't entirely fix the problem. Malicious files could still run without any user action, Apple said. "This update provides additional checks to identify variations of the malicious file types addressed in Security Update 2006-001 so that they are not automatically opened," according to the alert.

The earlier patch also introduced errors with the PHP scripted programming language and "rsync" file transfer utility, Apple said. The PHP issue may prevent SquirrelMail from running and the rsync "--delete" command may not work, the company said. That is now corrected.

The new security update also fixes a pair of newly discovered flaws. One bug is a buffer overflow error in Apple Mail that could be triggered by enticing a user to double click on an e-mail attachment, Apple said. The bug could let an attacker run code in the context of the user, the company said.

The second flaw is related to how Mac OS X handles documents that contain JavaScript. An attacker could craft a file and host it on a remote Web site that would bypass certain access restrictions on a Mac when opened, according to Apple's advisory.

Security-monitoring company Secunia rates Apple's new fix "extremely critical," its highest-risk rating that's not often awarded.

While Apple urges its users to install the patches, there is no immediate risk of attack, Tribble said. "None of these issues are things where there are exploits in the wild," he said. "In a way you can say these are pre-emptive fixes to prevent problems from arising."

The new patch comes after weeks of scrutiny of the safety of OS X, prompted by the discovery of two worms and the disclosure of a serious vulnerability. Security experts also were questioning the effectiveness of Apple's latest patch, suggesting the company should add protection at a deeper level in the system.

Security Update 2006-002 can be downloaded and installed via the Software Update feature in Mac OS X or from Apple Downloads.