Apple Patches Mac OS X Security Holes

Apple Computer has released Security Update 2006-001 for its Mac OS X operating system, patching problems recently exploited by both the Leap.A/Oompa-Loompa worm and the recent shell script exploit which could effect both Apple’s Safari Web browser and Mail applications. Security Update 2006-001 is available for both Mac OS X 10.4.5 (Tiger) and 10.3.9 (Panther) via Mac OS X’s built-in Software Update application as well as Apple’s software support download site. Apple recommends the update for all Mac OS X users.

Security Update 2006-001 patches the recently uncovered shell script exploit by performing additional validation of downloaded files and either warning the user of suspect files (Mac OS X 10.4.5) or refusing to open the downloaded item (Mac OS X 10.3.9). Apple also patched download validation in Mail and its iChat instant messaging program to warn users of unknown or unsafe file types, even if the file’s true nature has been deliberately disguised.

The update also includes important updates to Safari and FileVault, as well as under-the-hood functions in Directory Services, rsync, LibSystem, BOM (Mac OS X’s de-archiving system), and important security updates to perl and PHP (relevant only to users running Mac OS X as an Internet server: the capabilities are disabled by default).

The download ranges in size from roughly 12.5 to 39 MB, depending on the version of Mac OS X being updated (client or server), and separate versions are available for PowerPC-based and newer Intel-based Macs.