Apple has released the first general Mac OS X security update of 2009, patching a series of serious vulnerabilities that could allow an attacker to take over your Mac. Security Update 2009-001 affects both Mac OS X client and server, and all users are advised to update their systems immediately. A complete list of changes is found in the official security note on Apple’s support site. Apple also released a separate security update for Java for Mac OS X, and a standalone update for Safari for Windows.
Safari RSS Fix — The most notable vulnerability patched (although not necessarily the most serious) is a flaw in how Safari handled links for RSS feeds that could allow an attacker to run arbitrary code on your system. Programmer Brian Mastenbrook initially disclosed the nature of this vulnerability on his blog without exposing the details (see my article “Protect Yourself from the Safari RSS Vulnerability,” 2009-01-14). Mastenbrook provided some initial workarounds to help users protect themselves that turned out to be ineffective, and then posted a more complex workaround that was both problematic for most users to implement, and sometimes resulted in system problems.
Mastenbrook has now posted further information on his blog describing why he released his workaround before Apple issued a patch. Mastenbrook stated he notified Apple six months before making aspects of the flaw public, and revealed the information out of concern that Apple was not patching the flaw and that the vulnerability would be easy for someone else to discover and exploit. The nature of the flaw does appear to be straightforward, and his release of minimal information and a workaround likely resulted in reduced risk for Safari users.
The Safari fix is included in Security Update 2009-001 for Mac OS X users, and is available as a separate download for users of Safari on Windows.
Other Fixes — Security Update 2009-001 also patches a mix of other security issues, including a few that potentially allow an attacker to run any code on your system, or escalate their rights to an administrative user (circumventing an important security feature of Mac OS X). Some of these vulnerabilities are remotely exploitable over the Web should you visit a malicious Web site.
This update also includes some important fixes for users of Mac OS X Server. One vulnerability, in the ClamAV package used by Mac OS X to filter viruses out of email, could allow a remote attacker to execute arbitrary code on the server (which is security-speak for “take over your server”).
As with many Apple security updates, the fixes apply to a range of Apple software and open source tools that are included in Mac OS X, such as ClamAV, file sharing servers, and programming languages.
Security Update 2009-001 is available via Software Update or as a standalone download for Mac OS X 10.4.11 and Mac OS X 10.5.6 client and server. Separate downloads are available for Mac OS X Server 10.4.11 Universal (213 MB), Mac OS X Server 10.4.11 PowerPC (141.76 MB), Mac OS X Server 10.5.6 (46.54 MB), Mac OS X 10.4.11 PowerPC (74 MB) and Intel (164.23 MB), and Mac OS X 10.5.6 (43.4 MB).
Safari 3.2.2 for Windows is also available as a direct download.