Apple released a security update called "2006-001". It is claiming to update following components:
For detailed information on this update, we'll refer you to apple's article 303382.
This update is very critical to install on your Mac OS X machines:
At this point it's unclear how effective the patch against the PoC is. To quote Apple: "This update addresses the issue by performing additional download validation so that the user is warned (in Mac OS X v10.4.5) or the download is not automatically opened (in Mac OS X v10.3.9)". We know from experience that warning users is hardly enough in real life. Still it's better than nothing.
- ichat, mail get file type protection warnings in an effort to help twarth the worm threat (as exposed by the PoC virus Leap.A)
- many more ... but you get those for free anyway
On the not so good side: (before I get every Apple fan on my case: I love my powerbook, but it does not mean Apple should not clean up their act a bit)
- Nice to get an update to PHP 4.4.1, but do note that a quick visit to php.net learns that it released PHP 4.4.1 on October 31st, 2005. That's 4 months! Add to that that PHP 4.4.2 has been released on January 13th, 2006. For a open source package this isn't cutting it I'm afraid. Apple really needs to speed up it's testing and dramatically reduce the window of exposure (even if it's not enabled by default).
- Apple references article 108009 but it's putting all responsability with the end user. Can't we please have it promote using things like anti-virus and other malware preventing software? Sure users should not accept everything and click on anything. But the windows world has proven this approach doesn't work well enough once the OS gets targeted by malware.
Mar 1st 2006