************************* Security Update 2006-001 Validates Downloads

by Adam C. Engst <ace@tidbits.com>

Responding with reasonable alacrity to the recent Leap-A and shell script exploits, Apple released Security Update 2006-001 last week, fixing a slew of problems. Most notably, an update to Safari and LaunchServices performs additional download validation when the "Open 'safe' files after downloading" option is on to warn the user (in Mac OS X 10.4.5) or to avoid opening the download entirely (in 10.3.9). A similar update to Mail makes sure Download Validation can better detect unsafe or unknown file types in attachments. Also, an update to iChat in Mac OS X 10.4.5 now uses Download Validation to warn users of unknown or unsafe file types during file transfers.

<http://docs.info.apple.com/ article.html? artnum= 303382>

In general, increased warnings are a good thing unless they become so commonplace that users automatically agree to actions without considering the specifics. Plus, despite these changes, Apple still encourages all users to be careful about handling email attachments and opening downloaded files; see Apple's safety tips if you're not sure how to evaluate a given attachment or file. Even still, we'd like to see Apple going further to prevent the kind of deceptions that allow a malicious application to masquerade as a harmless document. Matt Neuburg's suggestion last week (see "Of Files, Forks, and FUD" in TidBITS-818) of badging all executables in some obvious way would be a step in the right direction, although deception (such as a malicious application mimicking a well-known legitimate one) remains possible.

<http://docs.info.apple.com/ article.html? artnum= 108009> <http://db.tidbits.com/ getbits.acgi? tbart= 08437>

Also important in Security Update 2006-001 is an update to apache_mod_php that includes PHP 4.4.1, a security update to the PHP scripting language. Holes in PHP - specifically in Web forms that are being exploited by spammers - are the largest security issue in the Web server world right now, and PHP 4.4.1 does not fix all of these problems. PHP is disabled by default in Mac OS X, so only people who have explicitly turned it on need worry about these concerns; see the link below for more information.

<http://www.forest.net/ support/ archives/ 2005/ 12/ 000668.php#000668>

Other updated components of Mac OS X include automount, BOM (Mac OS X's archive unpacking code), Directory Services, FileVault, IPsec, LibSystem, perl, rsync, Safari (in more ways than just increased download validation), and Syndication (Safari RSS). While some of Apple's security updates feel like fixes to issues that few people would ever encounter, a number of the problems addressed by Security Update 2006-001 are quite concerning, and we encourage everyone to install it right away. Security Update 2006-001 comes in versions for Mac OS X 10.4.5 for PowerPC (12.5 MB download) and Intel (22.5 MB), and Mac OS X 10.3.9 Client (25.3 MB) and Server (38.6 MB); all sizes are for the stand-alone version and may be somewhat different for Software Update, which provides the right version for your Mac.

<http://www.apple.com/ support/ downloads/ securityupdate2006001macosx1045ppc.html> <http://www.apple.com/ support/ downloads/ securityupdate2006001macosx1045clientintel.html> <http://www.apple.com/ support/ downloads/ securityupdate20060011039client.html> <http://www.apple.com/ support/ downloads/ securityupdate20060011039server.html>

This article refers back to: Of Files, Forks, and FUD

Kev - I have to use Microsoft Word on my Mac as most of my clients send me their copy in a Word file. If ever my Mac falls over or freezes, you can be sure it's when Word is running.

Like I've said a trillion times - PCs are fantastic bits of kit but how come Microsoft has got away with producing such flawed products to run on them? It's a darn shame. So many more people would be able to benefit from using a computer if they weren't so unstable because of the OS and software.

XP is probably the best operating system yet (at least according to the publication I lay out every month - no personal experience of it myself, of course).

But it still sounds like hard work making sure your PC is running correctly all the time. If Gates and chums hadn't had such a monopoly I feel sure the world would be a much warmer, softer and fluffier place.

Please, all you PC users out there, I'm not having a go at you! No need to jump to the PC's defence. My beef is with Gates.

The PC's here at home all run XP pro, Norton Pro antivirus, two firewalls and, a free download, Lavasoft Ad-Aware and, touch wood, they've been as good as gold.