Security Update 2006-003 Special Report: Release notes/update recommendations

On May 11th, Apple released Security Update 2006-003, which includes significant security enhancements for both PowerPC and Intel-based Macs.

The new update plugs the following security vulnerabilities, broken out by component:

• AppKit: Characters entered into a secure text field can be read by other applications in the same window session
• AppKit, ImageIO: Viewing a maliciously-crafted GIF or TIFF image may lead to arbitrary code execution
• BOM: Expanding an archive may lead to arbitrary code execution; Expanding a malicious archive may cause arbitrary files to be created or overwritten
• CFNetwork: Visiting malicious web sites may lead to arbitrary code execution
• ClamAV: Processing maliciously-crafted email messages with ClamAV may lead to arbitrary code execution
• CoreFoundation: Registration of an untrusted bundle may lead to arbitrary code execution; String conversions to file system representation may lead to arbitrary code execution
• CoreGraphics: Characters entered into a secure text field can be read by other applications in the same window session
• Finder: Launching an Internet Location item may lead to arbitrary code execution (Description: Internet Location items are simple URL containers which may reference http://, ftp://, and file:// URLs, as well as a few other URL schemes. These different types of Internet Location items are visually distinct, and meant to be safe to explicitly launch. However, the scheme of the URL may be different than the Internet Location type. As a result, an attacker may be able to convince a user to launch a supposedly benign item (such as a Web Internet Location, http://), with the result that some other URL scheme is actually used. In certain circumstances, this may lead to arbitrary code execution. This update addresses the issues by restricting the URL scheme based on the Internet Location type.)
• FTPServer: FTP operations by authenticated FTP users may lead to arbitrary code execution
• Flash Player: Playing Flash content may lead to arbitrary code execution
• ImageIO: Viewing a maliciously-crafted JPEG image may lead to arbitrary code execution (Description: An integer overflow in the processing of JPEG metadata may result in a heap buffer overflow. By carefully crafting an image with malformed JPEG metadata, an attacker may be able to cause arbitrary code execution when the image is viewed. This update addresses the issue by performing additional validation of images. This issue does not affect systems prior to Mac OS X v10.4)
• Keychain: An application may be able to use Keychain items when the Keychain is locked
• LaunchServices: Viewing a malicious web site may lead to arbitrary code execution
• libcurl: URL handling in libcurl may lead to arbitrary code execution
• Mail: Viewing a malicious mail message may lead to arbitrary code execution
• MySQL Manager: MySQL database may be accessed with an empty password
• Preview: Navigating a maliciously-crafted directory hierarchy may lead to arbitrary code execution
• QuickDraw: Viewing a maliciously-crafted PICT image may lead to arbitrary code execution
• QuickTime Streaming Server: A malformed QuickTime movie can cause QuickTime Streaming Server to crash
• QuickTime Streaming Server: Maliciously-crafted RTSP requests may lead to crashes or arbitrary code execution
• Ruby: Ruby safe level restrictions may be bypassed
• Safari: Visiting malicious web sites may lead to file manipulation or arbitrary code execution (Description: When Safari's "Open 'safe' files after downloading" option is enabled, archives will be automatically expanded. If the archive contains a symbolic link, the target symlink may be moved to the user's desktop and launched. This update addresses the issue by not resolving downloaded symbolic links. This issue does not affect systems prior to Mac OS X v10.4.

The release is available through Software Update and the following download links:

• Security Update 2006-003 Mac OS X 10.4.6 Client (PPC) [12MB]
• Security Update 2006-003 Mac OS X 10.4.6 Client (Intel) [23.5MB]
• Security Update 2006-003 (10.3.9 Client) [28MB]
• Security Update 2006-003 (10.4.6 Server) [13.1MB]
• Security Update 2006-003 (10.3.9 Server) [41.6MB]

Update procedure recommendation First, avoid performing any other operations (in Mac OS X or third-party applications) while the update process is occurring. In addition, before installing this security update, make sure all Apple-installed applications and utilities are in their original locations. Moving one of these applications to a different location on your hard drive can lead to an incomplete update. Also, disconnect any FireWire/USB devices before applying the update (except for your startup drive, if it is FireWire or USB, and your keyboard/mouse), then re-connect the devices one by one (checking for issues created by any particular device) after the update process is complete and the system has restarted.

Index:

• Active Directory issues
• FireWire problems -- Devices won't mount, etc.
• LiveUpdate (Symantec) not working -- fix on the way
• Overall System slow-down
• PDF files: Problems printing
• Release notes/update recommendations
• Removing the update
• SCSI drives not recognized
• Startup stalls/freezes after updating -- fixes
• Unintended attempted network boots (flashing globe at startup)
• UnRarX causing freezes
• Various third party application freezes

Resources