Zero-Day Flaw Gets Patched
Apple's Zero day flaw is no more. Finally, Apple addressed a week-old issue and 19 others hanging around.
It also addresses 19 other issues in OS X, including improving security against worms which have just recently begun to slither through Apple's core.
The zero-day issue involved how OS X 10.4.5 handles ZIP archives in the Safari Web browser. Arbitrary commands could have potentially been executed automatically via Safari from a malicious site.
Though the issue remained open for more than a week, there was simple workaround provided early on that involved disabling automatic file opening on downloads in Safari, or simply using another browser.
Apple's security update also revealed a number of other significant flaws in Safari the patch fixes.
CVE-ID: CVE-2006-0390/CVE-2005-4504 fixes a heap-based buffer overflow condition in WebKit that could have potentially allowed an attack to execute arbitrary code when a user visits a maliciously crafted Web page.
The update also provides additional protections against worms such as Leap.A, which have recently begun to target Apple Mac users via the iChat instant messaging application.
The update now includes something called "Download Validation," which is supposed to warn users of potentially unsafe file types during transfers.
Other issues addressed in the Apple security update include fixes for perl, rsync, mail, IPsec, apache_mod_php, automount, FileVault, Directory Services and Mail. The potential impacts range from denial of service to arbitrary code execution.
This article was originally published on internetnews.com.