[ISN] Apple Fixes Critical Safari Bug, 16 Other Flaws

InfoSec News isn at c4i.org
Fri Mar 3 05:31:55 EST 2006


By Gregg Keizer
March 2, 2006 

Apple Computer on Wednesday released its first security update of 2006
to patch 17 bugs, including a critical flaw in the Safari browser and
a gaffe in iChat that was used by the first Mac OS X worm to infect
Macintosh machines.

The update, dubbed Security Update 2006-001, comes just over a week
after news broke of a critical flaw in the operating system and the
Safari Web browser, leading to intense defense of Mac security by
Apple users.

The Safari vulnerability could let attackers hijack a Mac simply by
enticing its user to a malicious Web site in a so-called "drive-by
download" that's a common menace to Windows users but unheard of in
the Mac world.

The problem stemmed from Safari's (and Mac OS X's) trust of certain
file types, specifically ZIP archives. Attackers could pack a ZIP with
malicious scripts that the Mac would automatically run, the German
firm Heise Security said last week.

"This update addresses the issue by performing additional download
validation so that the user is warned (in Mac OS X v10.4.5) or the
download is not automatically opened (in Mac OS X v10.3.9)," Apple's
alert read.

The speed with which Apple patched the vulnerability may impress
Windows users -- who are used to waiting weeks if not months for fixes
from Microsoft -- but it's not unusual, said Mike Murray, director of
research at vulnerability management vendor nCircle.

"There are a couple of reasons why Apple could patch this so quickly,"  
said Murray. "First of all, Safari's based on open-source code, and
that code is pretty well understood. Second, the vulnerability didn't
seem that complex.

The biggest factor in Apple's quick turnaround, however, has nothing
to do with the Safari code or the bug.

"Internet Explorer is tied into the core of the [Windows] operating
system," Murray said. "If you change IE, something could break on the
OS. The QA cycle has to be much longer, since one little change could
break the whole damn thing.

"But Safari is a stand-alone browser, like Firefox. If a patch
introduces a bug in Safari, big deal. It's not affecting the [Mac]

That's the reason why Apple could put together a patch within a week,
and why, Murray added, Firefox developers can do the same when
vulnerabilities are found in that cross-platform browser.

"Microsoft's strategy of tying the browser into the operating system
has made it so much more difficult to patch," Murray added.

Apple's e-mail client has also been patched so that it will warn the
user when a malicious attachment may be trying to disguise itself as a
"safe" file type.

Safari accounted for 4 of the 17 fixes, including one in its RSS
implementation. All four were serious -- judged "critical" by Danish
vulnerability tracker Secunia -- since they allowed for remote code or
script execution.

The update also fixes iChat, Apple's instant messaging client, so IM
threats such as the recent OSX/Leap.a worm could be blocked. Leap.a
was the first-ever Mac OS X worm.

"With this update, iChat now uses Download Validation to warn of
unknown or unsafe file types during file transfers," Apple said in the

Other patches in the update fixed a problem with the PHP programming
language within the Apache server module, solved two issues in Apple's
Directory Services, corrected a potential problem mounting malicious
network servers, and quashed bugs in FileVault and IPSec within
virtual private network (VPN) sessions.

Although the new Intel-based Macs have been issued an operating system
update since they debuted in January -- from 10.4.4 to the current
10.4.5 -- this was the first security fix released for those machines.

Separate downloads are available on Apple's download site for Mac OS X
10.3.9 (Panther) clients and servers, as well as Mac OS X 10.4.5
(Tiger) Intel and PowerPC editions. Mac users who have Software Update
enabled will automatically receive the update.

Copyright © 2005 CMP Media LLC

More information about the ISN mailing list