Print this article  |  E-mail this article  |  Comment on this article

Apple Plugs iChat, Safari Security Holes

By Nate Mook, BetaNews

March 1, 2006, 7:05 PM

In its first standalone security update for 2006, Apple on Wednesday plugged 17 flaws affecting both Mac OS X 10.3 and 10.4. The fixes come after two potential vulnerabilities -- one in iChat and another in Safari -- were heavily publicized and brought warnings from security experts that Macs are not immune from malware.

The first claims of a Mac "virus" surfaced mid-February with the discovery of Leap.A, which is distributed as an archive. Once Leap.A is activated, when any iChat user changes his or her status, the worm initiates a file transfer for the latestpics.tgz archive.

The file transfer takes place in the background and is hidden from the user. In addition, the malware replaces all applications that have been used in the last month with itself, saving the original executable as a resource fork with the same filename.

Shortly after reports of Leap.A hit the Web, Apple downplayed the threat and said it was not a virus. As part of Wednesday's security update, the company said, "iChat now uses Download Validation to warn of unknown or unsafe file types during file transfers."

A second flaw in Mac OS X was publicized last week, pertaining to the way Safari executes what it believes are "safe" files after downloading. A file could actually be a malicious script, which is executed using the operating system's Terminal application, rather than the movie or picture is masquerades as.

In Wednesday's advisory, Apple says, "This update addresses the issue by performing additional download validation so that the user is warned (in Mac OS X v10.4.5) or the download is not automatically opened (in Mac OS X v10.3.9)."

The 15 other fixes include three other flaws in Safari, additional download validation in Apple Mail, improvements to FileVault, and fixes in Unix applications that are bundled with Mac OS X, including PHP, Rsync and Perl. Apple has also patched a cross-site scripting vulnerability in its RSS feed handling.

Mac OS X users can download the update now via Software Update.

Add a Comment (4 Comments)

BetaNews reserves the right to remove any comment at any time for any reason. Please keep your responses appropriate and on topic. Foul language and personal attacks will not be tolerated.

Name (required):

E-mail (required):

Enter Your Comment:

By Kramy

edited Mar 2, 2006 - 3:58 PM

>> Are Apple products more prone to holes and worms than any other OS? Afterall, it is an Apple. Right?

Haha! Funny! :D

Really though...lets not get into this debate. OSX gets patched before malicious people take advantage of its flaws. Windows doesn't. Whether there's more malicious hackers for x86, or there's more people pissed at MS, it doesn't change the fact that at the current time Apple is managing to keep OSX patched and secure in a very timely fashion.

Someone cracked their x86 OSX to run on an AMD system in record time though, so...

Score: 0

By eastmpman

posted Mar 3, 2006 - 12:01 AM

I agree. Apple products are absolutely not more prone to holes and worms, and won't be unless Apple gains some serious significant market share, which won't happen any time in the immediate future. Also, there's no difference in the naming something a "patch" or an "update", if they essentially are the same thing. As stated by Kramy, we get preventitive updates, while Microsoft patches their problems on Tuesdays. Seems a little silly to me that people have to wait for a certain date to update their systems. I can recall not too long ago this being a major issue..... :::cough::: WMF exploit :::cough:::

By the time Microsoft patched that issue, there were thousands of variants floating around the internet infecting unsuspecting users' machines. By the time Tuesday rolled around for them, it was too late.

As far as Apple's security threat, it's hard for anyone with intelligence to label Leap.A as a "virus", but Apple has responded in a timely fashion, and not blown it off as a non existant threat, as Microsoft has done so many countless times in the past.

Score: 0

By frankwick

posted Mar 2, 2006 - 10:00 AM

These must be bad holes for apple to not "market" security patches as a point release. We all know that all OSs have security releases, but Apple does a better job of spinning these as updates and not patches.

I just thought of something. Are Apple products more prone to holes and worms than any other OS? Afterall, it is an Apple. Right?

Score: 0

By Frostek

posted Mar 2, 2006 - 8:15 AM

Well done Apple. I'm sure they won't rest on their laurels and will continue to release security fixes in a timely fashion.

Score: 0

Sep 5 - 8:44 PM ET Mozilla's Aza Raskin: The journey back to Ubiquity

Sep 5 - 7:10 PM ET Red Hat buys virtualization specialist Qumranet

Sep 5 - 7:06 PM ET Analysts: Online news viewers rising as newspaper readership falls

Sep 5 - 6:55 PM ET Where does Sarah Palin stand on technology issues?

Sep 5 - 6:51 PM ET Adobe Flash to deliver NFL games in full

Sep 5 - 4:29 PM ET Exclusive beta invitation from GameTap and BetaNews

Sep 5 - 4:09 PM ET Report: OLPC buy one, give one deal returns

Sep 5 - 3:45 PM ET No ruling yet in TiVo vs. EchoStar patent case

Sep 5 - 3:37 PM ET Google Analytics starts tracking Chrome, with intriguing results

Sep 5 - 2:14 PM ET Comcast challenges FCC's authority in sanction appeal