Apple corrects patch trouble

Apple Computer on Monday released the second set of Mac OS X security fixes in two weeks.

Security Update 2006-002 corrects problems caused by the company's previous patch and fixes newly discovered security flaws, some of which could let an attacker run code on a computer with the same privileges as the user, the company said on its Web site.

"This Security Update includes some upgrades to our download validation mechanism and strengthens it," Bud Tribble, Apple's vice president of software technology, told CNET News.com. "We reduced the number of false positives it gives."

Earlier this month Apple released a security update for its operating system to plug 20 holes. That update added download validation to the Safari Web browser, Apple Mail client and iChat instant-messaging tool. The function warns people that a download could be malicious when they click on the link.

However, download validation has been sounding the alarm on harmless files. "Security Update 2006-001 could cause the user to be warned when provided with certain safe file types, such as Word documents, and folders containing custom icons," Apple said in its security alert. The new update fixes that problem, the company said.

Additionally, Apple's previous update didn't entirely fix the problem. Malicious files could still run without any user action, Apple said. "This update provides additional checks to identify variations of the malicious file types addressed in Security Update 2006-001 so that they are not automatically opened," according to the alert.

The earlier patch also introduced errors with the PHP scripted programming language and "rsync" file transfer utility, Apple said. The PHP issue may prevent SquirrelMail from running and the rsync "--delete" command may not work, the company said. That is now corrected.

The new security update also fixes a pair of newly discovered flaws. One bug is a buffer overflow error in Apple Mail that could be triggered by enticing a user to double click on an e-mail attachment, Apple said. The bug could let an attacker run code in the context of the user, the company said.

The second flaw is related to how Mac OS X handles documents that contain JavaScript. An attacker could craft a file and host it on a remote Web site that would bypass certain access restrictions on a Mac when opened, according to Apple's advisory.

Security-monitoring company Secunia rates Apple's new fix "extremely critical," its highest-risk rating that's not often awarded.

While Apple urges its users to install the patches, there is no immediate risk of attack, Tribble said. "None of these issues are things where there are exploits in the wild," he said. "In a way you can say these are pre-emptive fixes to prevent problems from arising."

The new patch comes after weeks of scrutiny of the safety of OS X, prompted by the discovery of two worms and the disclosure of a serious vulnerability. Security experts also were questioning the effectiveness of Apple's latest patch, suggesting the company should add protection at a deeper level in the system.

Security Update 2006-002 can be downloaded and installed via the Software Update feature in Mac OS X or from Apple Downloads.

[CBSTV]

A Fast Response

I'm impressed how quickly Apple responds with their Security
Updates.

[Sboston]

Yes,

Good turn around time.

[wysiwyg22]

2 staged responses / Very Cool

I'm especially impressed that they released fixes in two stages. Stage one, just something to "Work" and prevent attackers from taking advantage once the flaw was publically released, then a second release as soon as a polished fix was in place.

Most software companies hardly get past stage one.

[catch23]

Apple apologists are unbelievable

Apple releases a ?fix? that doesn?t work, and you guys praise them?
Look, you can **** in a glass and call it Champaign while you toast one another on their wonderful deeds, but at the end of the day it was a total screw-up, both the original problem and the first fix. You same dumb idiots go off on MS when they pull this type of crap, so lets start believing that one set of standards is enough

[techguy83]

why are you even bothering?

No Apple Zealot is going to listen to you, or anyone else who offers logical or even empiracl data about a problem or downside to the Mac OSX system. You'll just get the usual hate messages and 'oh your just a ms fanboy/ms troll response'

So why even bother?

Its not like you'll ever change their minds or anything. :)

[J.G.]

'Preemptive' says it all

I'm satisfied. Even Mac-gasmic, JM. Most of the vulnerabilities
never applied to my OS X installation anyway. Squirrel Mail?
Please. I don't even use Mail mail. And, as the Apple spokesman
said (it should have been at the beginning of the article, not the
bottom) there was nothing exploitable.

Why the weird Wintel types want Mac users to be unhappy with our
systems is beyond me.

[Johnny Mnemonic]

Mac Envy

-

Latest Patch

I just downloaded the latest OSX security patch last night for my G5 iMac. I tried to start my computer this morning and NOTHING. It's fried. I have to admit, no hackers will be on my system for quite awhile.

[rcrusoe]

I doubt if the patch caused your problem

I've installed it on six machines so far without incident.

[Sboston]

Nothing?

If nothing happend then I suggest you check to see if you cat pulled you plug out of the wall. :D

[lsawell]

I installed the latest patch and the reboot took me to the normanl grey screen with the apple logo. The little spinning wheel below it started spinning and has kept spinning for over 30 hours now. So much for protection
This Power Mac G4 has been running for 5 plus years with nothing like this happening after a patch. For all the folks that installed on 5 or 6 machines I am truly happy for you. But beleive me. YOUR DAY WILL COME.

[Bob Brinkman]

I know It's bad form to post external links

But this sums up the argument that is going to ensue way better then I could (requires sound)

http://badmash.tv/movies.php?v=bat

Why say it yourself when some one else said it better?

[Eric Westra]

Latest patch is pack of trouble

Security Update 2006-002 has had multiple, serious implications
for many OSX users. I've seen reports from missing desktop icons,
to unusable hyperlinks in mail and applications, to complete
system meltdowns.

Some security patch. I wonder if Apple's quality control is slipping.

[Earl Benser]

Can't be too bad....

... I just updated five OS X computers with no problems at all.

[benjiernmd]

free crap

Well, at least you won't be paying for the snafu that Apple made,
when other companies charge you for fixes that do not really work.
But then again, crap is a crap, free or not. Just choose the lesser
evil.

[lsawell]

27 hours ago I downloaded the latest Apple patch/update on my Power Mac G4. It went thru the process and went into restart mode. 30 hours later it's still on the grey page with the black apple siloette and the little thinking wheel is still going around and around. What's up with that? all attempts to recover have failed. The little wheel just keeps on spinning. Is it the eprom battery or a shot drive or what? Does anybody know how to recover from this problem?