- Joined
- Mar 30, 2004
- Messages
- 4,744
- Reaction score
- 381
- Points
- 83
- Location
- USA
- Your Mac's Specs
- 12" Apple PowerBook G4 (1.5GHz)
http://docs.info.apple.com/article.html?artnum=303382
Among other things, it addresses weaknesses that were exploited by the recently reported malware.
Among other things, it addresses weaknesses that were exploited by the recently reported malware.
Safari, LaunchServices
CVE-ID: CVE-2006-0394
Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS X v10.4.5, Mac OS X Server v10.4.5
Impact: Viewing a malicious web site may result in arbitrary code execution
Description: It is possible to construct a file which appears to be a safe file type, such as an image or movie, but is actually an application. When the "Open `safe' files after downloading" option is enabled in Safari's General preferences, visiting a malicious web site may result in the automatic download and execution of such a file. A proof-of-concept has been detected on public web sites that demonstrates the automatic execution of shell scripts. This update addresses the issue by performing additional download validation so that the user is warned (in Mac OS X v10.4.5) or the download is not automatically opened (in Mac OS X v10.3.9).
(And a similar change to Mail.)iChat. A malicious application named Leap.A that attempts to propagate using iChat has been detected. With this update for Mac OS X v10.4.5 and Mac OS X Server v10.4.5, iChat now uses Download Validation to warn of unknown or unsafe file types during file transfers.