Security Update 2006-001 Validates Downloads
Responding with reasonable alacrity to the recent Leap-A and shell script exploits, Apple released Security Update 2006-001 last week, fixing a slew of problems. Most notably, an update to Safari and LaunchServices performs additional download validation when the "Open ‘safe’ files after downloading" option is on to warn the user (in Mac OS X 10.4.5) or to avoid opening the download entirely (in 10.3.9). A similar update to Mail makes sure Download Validation can better detect unsafe or unknown file types in attachments. Also, an update to iChat in Mac OS X 10.4.5 now uses Download Validation to warn users of unknown or unsafe file types during file transfers.
In general, increased warnings are a good thing unless they become so commonplace that users automatically agree to actions without considering the specifics. Plus, despite these changes, Apple still encourages all users to be careful about handling email attachments and opening downloaded files; see Apple’s safety tips if you’re not sure how to evaluate a given attachment or file. Even still, we’d like to see Apple going further to prevent the kind of deceptions that allow a malicious application to masquerade as a harmless document. Matt Neuburg’s suggestion last week (see "Of Files, Forks, and FUD" in TidBITS-818) of badging all executables in some obvious way would be a step in the right direction, although deception (such as a malicious application mimicking a well-known legitimate one) remains possible.
Also important in Security Update 2006-001 is an update to apache_mod_php that includes PHP 4.4.1, a security update to the PHP scripting language. Holes in PHP – specifically in Web forms that are being exploited by spammers – are the largest security issue in the Web server world right now, and PHP 4.4.1 does not fix all of these problems. PHP is disabled by default in Mac OS X, so only people who have explicitly turned it on need worry about these concerns; see the link below for more information.
Other updated components of Mac OS X include automount, BOM (Mac OS X’s archive unpacking code), Directory Services, FileVault, IPsec, LibSystem, perl, rsync, Safari (in more ways than just increased download validation), and Syndication (Safari RSS). While some of Apple’s security updates feel like fixes to issues that few people would ever encounter, a number of the problems addressed by Security Update 2006-001 are quite concerning, and we encourage everyone to install it right away. Security Update 2006-001 comes in versions for Mac OS X 10.4.5 for PowerPC (12.5 MB download) and Intel (22.5 MB), and Mac OS X 10.3.9 Client (25.3 MB) and Server (38.6 MB); all sizes are for the stand-alone version and may be somewhat different for Software Update, which provides the right version for your Mac.