Apple has released a trio of security updates to block a variety of possible malicious actions that could compromise the security of your Mac or your iPhone.
Security Update 2007-007 could be nicknamed the James Bond release, both for its version number and for the number of now-blocked exploits that involve “enticing the user” to perform some seemingly innocuous task like visiting a Web page, clicking an FTP URL, opening a PDF file, or (perhaps this isn’t so innocuous) running zgrep. Components of Mac OS X that are updated include bzip2, CFNetwork, CoreAudio, cscope, gnuzip, iChat, Kerberos, mDNSResponder, PDFKit, PHP, QuartzComposer, Samba, SquirrelMail, Tomcat, WebCore, and WebKit (after reading that list, I’m shaken, not stirred). See Apple’s site for full details. The easiest way to get Security Update 2007-007 is via
Software Update, but stand-alone downloads are available for Mac OS X 10.3.9 (48.7 MB), Mac OS X Server 10.3.9 (63.3 MB), Mac OS X 10.4.10 for PowerPC-based Macs (14.2 MB), Mac OS X 10.4.10 for Intel-based Macs (25.7 MB), Mac OS X Server 10.4.10 for PowerPC-based Macs (23.8 MB), and Mac OS X Server 10.4.10 for Intel-based Macs (35.3 MB).
Safari 3 Beta Update 3.0.3 addresses four exploits for Windows, three of which also apply to the Mac version of Safari 3 and to the WebCore and WebKit components of Mac OS X that are used by earlier versions of Safari and many other applications (Security Update 2007-007 includes the fixes for those not running Safari 3). The fixes are for the usual things – bad guys could cause Safari to crash, lure you to a spoofed Web site, or execute arbitrary code. There’s no reason to think any of this has ever happened in the wild, but there’s also no reason to avoid this update, given that Safari 3 is still in beta anyway and can only improve. It’s unclear if there are any
changes in this update that aren’t security-related. The update is available via Software Update or as a 14 MB download from Apple’s Safari page.
Lastly, the iPhone sees its first software update with iPhone v1.0.1 Update. The major changes revolve around security related to browsing Web pages with the iPhone’s version of Safari. In fact, two of the four fixes in iPhone v1.0.1 Update are also in Security Update 2007-007 and Safari 3 Beta Update 3.0.3, emphasizing the shared code between Mac OS X and the iPhone.
A few undocumented feature modifications crept into this release, too. The Favorites list for the Phone now supports up to 50 contacts instead of 20; you can automatically BCC yourself in the Mail application; and support for more speakers and other accessories developed for the iPod has been added.
Note that this update is available only through iTunes, as with iPod updates. iTunes will download it automatically sometime within the next week and present it as an option for you to install the next time you sync; if you want to install it manually, use the Check for Updates button or menu item in iTunes. To verify that the update has occurred, navigate in the iPhone to Settings > General > About and look for version “1.0.1 (1C25)”.