Apple on Thursday released Security Update 2006-003, fixing vulnerabilities in
Mac OS X and
Mac OS X Server. In addition to fixing core technologies, the update also includes changes to several of the company’s applications.
An issue with Apple’s Safari Web browser running in Mac OS X 10.4 that allowed an automatically expanded archive containing a symbolic link to be moved to the user’s desktop and launched has been fixed in this update.
Apple Mail received two fixes. The first deals with the handling of invalid color information in enriched text email messages that could cause the allocation and initialization of arbitrary classes. This may lead to arbitrary code execution with the privileges of the user running Mail, according to Apple. The second fix dealt with the ability of users to prepare a specially crafted email message with MacMIME encapsulated attachments to trigger an integer overflow. This may lead to arbitrary code execution with the privileges of the user running Mail.
Preview, Apple’s PDF viewing application, had a problem if a user was navigating very deep directory hierarchies in Preview. In such cases it may be possible for an attacker to cause arbitrary code execution if the directories are opened in Preview. This issue does not affect systems prior to Mac OS X v10.4, according to Apple.
The Security Update also includes a new Flash Player 18.104.22.168. Flash Player contained critical vulnerabilities that may lead to arbitrary code execution when specially-crafted files.
Finally, the Finder has been updated to fix a problem that would allow an attacker to use Internet Location files to execute arbitrary code.
In addition to the Security Update, Apple has also released QuickTime 7.1, an update the company says delivers numerous important bug fixes and addresses critical security issues.
Front Row 1.2.2 delivers a variety of fixes for better reliability and compatibility when playing music, photos, and videos on your Macintosh, according to Apple.
Full details of the update for Mac OS X and Mac OS X Server are available from Apple’s Web site. The QuickTime and Front Row updates are available via the Software Update in Mac OS X.