Security Update 2006-006 for Mac OS X 10.3.9 (#2): Details on security fixes; Startup issues -- Finder not loading; more
Security Update 2006-006 for Mac OS X 10.3.9 (#2): Details on security fixes; Startup issues -- Finder not loading; more
Details on security fixes Security Update 2006-006 (which is only for Mac OS X 10.3.9) addresses many of the same security issues plugged in Mac OS X 10.4.8, and as such is causing issues similar to those experienced by users who have installed Mac OS X 10.4.8 or one of the other recently released Tiger security revisions (AirPort Extreme 2006-001 or Security Update 2006-005)
Among the specific holes plugged:
CFNetwork clients such as Safari may allow unauthenticated SSL sites to appear as authenticated Connections created using SSL are normally authenticated and encrypted. When encryption is implemented without authentication, malicious sites may be able to pose as trusted sites. In the case of Safari this may lead to the lock icon being displayed when the identity of a remote site cannot be trusted. This update addresses the issue by disallowing anonymous SSL connections by default. Credit to Adam Bryzak of Queensland University of Technology for reporting this issue.
Playing Flash content may lead to arbitrary code execution Adobe Flash Player contains critical vulnerabilities that may lead to arbitrary code execution when handling maliciously-crafted content. This update addresses the issues by incorporating Flash Player version 9.0.16.0 on Mac OS X v10.3.9 and Flash Player version 9.0.20.0 on Mac OS X v10.4 systems.
Opening a malicious PICT image with certain applications may lead to an application crash or arbitrary code execution Certain applications invoke an unsupported QuickDraw operation to display PICT images. By carefully crafting a corrupt PICT image, an attacker can trigger memory corruption in these applications, which may lead to an application crash or arbitrary code execution. This update addresses the issue by preventing the unsupported operation.
Remote attackers may be able to cause an IMAP server denial of service An issue in the DIGEST-MD5 negotiation support in Cyrus SASL can lead to a segmentation fault in the IMAP server with a maliciously-crafted realm header. This update addresses the issue through improved handling of realm headers in authentication attempts.
Viewing a maliciously-crafted web page may lead to arbitrary code execution A memory management error in WebKit's handling of certain HTML could allow a malicious web site to cause a crash or potentially execute arbitrary code as the user viewing the site. This update addresses the issue by preventing the condition causing the overflow. Credit to Jens Kutilek of Netzallee for reporting this issue.
Startup issues -- Finder not loading Like Mac OS X 10.4.8, a number of users are experiencing an inability to properly startup after updating to Mac OS X 10.4.8.
Lathrop Preston writes:
"After restarting my wife's eMac from the install of Security Update 2006-006 Finder will not start. We can still access applications in the Dock or the Apple Menu 'Recent Items' however if I click on Finder in the Dock it tries to start but fails silently. No desktop icons, No Macintosh HD icon."
Again, check our tutorial tutorial: "Startup fails (particularly after a system or security update); solving." Re-applying the most recent Mac OS X combo updater, booting in safe mode, disconnecting USB/FireWire devices, deleting caches files and other solutions have proven sporadically successful for a bevy of startup issues caused by these recent updates.
Wireless connectivity issues Meanwhile, a handful of users have lost AirPort/wireless connectivity after applying Security Update 2006-006.
MacFixIt reader Joel writes:
"After installing the latest security update on my 1.25 Ghz Powerbook, wireless network connections seem to be down. Airport seems to recognize the wireless router (ACTIONTEC), but internet connection is a no go, as well as wireless networking with the Mac Mini ( 1.5 Ghz Intel, 10.4.8) right next to it. Any advice would be greatly appreciated."
As in the case of Mac OS X 10.4.8, you want to check the tutorial "Improving AirPort reception, avoiding dropouts/lost connectivity, working around card/Base station recognition issues".
Breaks Version Cue for some users Some users report that Adobe's Version Cue, a file-version manager in the Adobe Creative Suite 2 software, does not function properly after applying Security Update 2006-006.
In order to remove Version Cue, navigate to /Library/StartupItems directory (this is the Library folder at the root level of your hard drive -- not the Library folder in your home user directory) and remove the file "Version Cue." [Note that you may need to startup in Safe Mode by holding the shift key down while your Mac boots up in order to properly boot the system and remove the file].
Includes version 9.0.16.0 of Flash As noted above, Security Update 2006-006 installs Flash Player 9.0.16.0 on Mac OS X 10.3.9 systems. Unfortunately, as with Mac OS X 10.4.8, the Flash upgrade is causing significiant slow-downs for some users. However, it is important to keep the new version of the plug-in rather than downgrading, as it includes critical security patches.
Feedback? Late-breakers@macfixit.com.
Previous coverage:
Resources