Apple on Wednesday posted Security Update 2005-006. The new update is ready for download from Apple’s Web site. Separate downloads are available for Mac OS X v10.3.9 and Mac OS X v10.4.1. Apple said the download is recommended for all affected Mac users.
Mac OS X v10.3.9 gains improvements specifically to Bluetooth and PHP. Bluetooth security has been improved by adding enhanced filtering for path-delimiting characters; this corrects a problem involving Bluetooth object exchange services. And multiple vulnerabilities in PHP have been addressed, including remote denial of service and execution of arbitrary code.
The security update for Mac OS X v10.4.1 contains those Bluetooth and PHP improvements, as well as a buffer overflow correction and other improvements to AFP Server, correct handling of cleanup of poorly-formatted PDF documents by CoreGraphics and a security improvement to prevent unprivileged users from launching commands into root sessions; more secure folder permissions to protect the cache folder and Dashboard system widgets; removal of a vulnerability in the launchd command; a correction to LaunchServices’ query code; a change to MCX client involving Portable Home Directories; modification of NFS exporting code; and correction of a buffer overflow problem in “vpnd.” More details are available from Apple’s Web site.