Apple's first security update for 2006 comes with patches for several Safari browser bugs and an iChat vulnerability that caused the spread of the first Mac OS X worm.
With the security of its flagship Mac OS X operating system facing intense scrutiny,
Apple Computer on March 1 released a software update with patches for more than a dozen security vulnerabilities.
The first security update from Apple for 2006 comes less than a week after the release of exploit code
for Safari browser flaw and the discovery of two worms affecting Mac OS X users.
In all, five Safari issues were addressed, including an "extremely critical" flaw that could cause remote code execution attacks if a user simply viewed a maliciously rigged Web page.
The update addresses the issue by performing additional bounds checking.
A separate buffer overflow in the way the WebKit application framework handles certain HTML could allow a maliciously crafted Web page to cause a crash or execute arbitrary code as the user viewing the site.
Read more here about an exploit for a Safari hole.
Apple also acknowledged that Safaris security model prevents remote resources from causing redirection to local resources. "An issue involving HTTP redirection can cause the browser to access a local file, bypassing certain restrictions," the company said in the alert.
The iChat application was also patched to block the spread of the Leap.A IM worm
that was discovered on the Mac OS X platform last week.
"With this update for Mac OS X v10.4.5 and Mac OS X Server v10.4.5, iChat now uses Download Validation to warn of unknown or unsafe file types during file transfers," Apple said.
The update also fixes flaws in Mail, apache_mod_php, automount, Bom, Directory Services, IPSec, LaunchServices, LibSystem, loginwindow and rsync.
The update is shipped automatically to all Mac users through Apples Software Update service.
Separate downloads are available on Apples Download site
for Mac OS X v10.3.9 (client and server) versions and Mac OS X v10.4.5 (Tiger) Intel and PowerPC versions.
Check out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzers Weblog.