Apple on Tuesday released Security Update 2005-009, which addresses issues with both Mac OS X and Mac OS X Server. Among the components affected in this release are apache_mod_ssl; CoreFoundation; CoreTypes; curl; iodbcadmin; OpenSSL; Safari;sudo; and syslog.
The biggest changes for Mac OS X users are with the company’s Web browser software, Safari. In total, four separate issues have been fixed in this release.
The first issue fixes a problem that affects Safari’s download directory, which is normally specified by the user. However, if a web site suggests an overlong filename for a download, it is possible for Safari to create this file in other locations. Apple notes that the filename and location of downloaded file content cannot be directly specified by remote servers, but this may still lead to downloading content into locations accessible to other users.
Apple also fixed a potential problem when visiting Web sites with WebKit-based applications. According to Apple, WebKit contains a heap overflow that may lead to the execution of arbitrary code. This may be triggered by content downloaded from malicious Web sites in applications that use WebKit such as Safari.
Two problems with JavaScript were addressed. Safari now has a new JavaScript engine to combat a potentially exploitable heap overflow. The new engine incorporates a more robust input validation, according to Apple. The second JavaScript issue adds the name of the originating Web site to the dialog boxes.
The update can be downloaded from Apple’s Web site or by using the Software Update mechanism in Mac OS X. More information on the other changes in the security update is available from Apple’s Web site.