Apple Plugs iChat, Safari Security Holes
In its first standalone security update for 2006, Apple on Wednesday plugged 17 flaws affecting both Mac OS X 10.3 and 10.4. The fixes come after two potential vulnerabilities -- one in iChat and another in Safari -- were heavily publicized and brought warnings from security experts that Macs are not immune from malware.
The first claims of a Mac "virus" surfaced mid-February with the discovery of Leap.A, which is distributed as an archive. Once Leap.A is activated, when any iChat user changes his or her status, the worm initiates a file transfer for the latestpics.tgz archive.
The file transfer takes place in the background and is hidden from the user. In addition, the malware replaces all applications that have been used in the last month with itself, saving the original executable as a resource fork with the same filename.
Shortly after reports of Leap.A hit the Web, Apple downplayed the threat and said it was not a virus. As part of Wednesday's security update, the company said, "iChat now uses Download Validation to warn of unknown or unsafe file types during file transfers."
A second flaw in Mac OS X was publicized last week, pertaining to the way Safari executes what it believes are "safe" files after downloading. A file could actually be a malicious script, which is executed using the operating system's Terminal application, rather than the movie or picture is masquerades as.
In Wednesday's advisory, Apple says, "This update addresses the issue by performing additional download validation so that the user is warned (in Mac OS X v10.4.5) or the download is not automatically opened (in Mac OS X v10.3.9)."
The 15 other fixes include three other flaws in Safari, additional download validation in Apple Mail, improvements to FileVault, and fixes in Unix applications that are bundled with Mac OS X, including PHP, Rsync and Perl. Apple has also patched a cross-site scripting vulnerability in its RSS feed handling.
Mac OS X users can download the update now via Software Update.