Apple Fixes Security Patch Problems

Two weeks after issuing a security update to plug 17 potential vulnerabilities in Mac OS X, Apple has released a second patch to correct problems with the first and resolve newly discovered flaws. The fixes involve a new "download validation mechanism" designed to prevent malicious files from being run automatically.

The issue relates to the way Safari executes what it believes are "safe" files after downloading. A file could actually be a malicious script, which is executed using the operating system's Terminal application, rather than the movie or picture is masquerades as.

However, the feature has been returning a large number of false positives -- warning users of risks when the file is completely safe. In addition to correcting that problem, Apple has added new checks "to identify variations of the malicious file types addressed in Security Update 2006-001."

Apple has also resolved a security hole in Mail and one related to the way the operating system handles documents containing JavaScript. Apple Mail contains a buffer overflow that could be exploited using a specially crafted e-mail message. An attacker could potentially use the flaw to execute arbitrary code on a Mac OS X system.

In order to keep a machine safe, files with JavaScript are usually protected by the "same-origin policy" that prevents them from reading local data. According to Apple, however, "maliciously-crafted archives can cause these restrictions to be bypassed." The new security update marks these files as unsafe.

Security Update 2006-002 additionally fixes non-security related bugs introduced in PHP and rsync with the previous security update.

The update, which has been rated "extremely critical" by security firm Secunia, is available now through the Software Update feature in Mac OS X.