Original URL: http://www.theregister.co.uk/2009/02/13/_security_update_2009_001/

Apple update plugs security vulns

Beefs OS X, Java, Safari for Windows

By Rik Myslewski in San Francisco

Posted in Security, 13th February 2009 00:57 GMT

SANS - Survey on application security programs

Apple has released a set of security updates that plug over two dozen holes in Mac OS X - including the Safari RSS vuln [1] discovered last month - plus a vuln apiece in Java for Mac OS X 10.5, 10.4, and Safari for Windows.

According to an Apple support document, Security Update 2009-001 [2] addresses vulns that include "multiple vulnerabilites [3]" in fetchmail and possible arbitrary code execution in certain situations involving Apple Pixlet Video, CarbonCore, ClamAV, CoreText, perl, python, Safari RSS, SMB, and X11.

Apple reports that the Java for Mac OS X 10.5 Update 3 [4] and Mac OS X 10.4 Update 8 [5] both address "Multiple vulnerabilities in Java Web Start and Java Plug-in," the most serious of which can also result in arbitrary code execution when "visiting a web page containing a maliciously crafted Java applet."

The Safari 3.2.2 for Windows [6] update addresses the aforementioned Safari RSS vuln.

We advise Mac OS X users to either run Software Update to obtain these vuln-killers or download [7] them from Apple's support site. Windows XP and Vista users can upgrade to Safari 3.2.2 by going to Apple's Safari site [8] and clicking the Download Now button.

While Apple has had more than its share of upgrade problems [9] in recent months, we can report that we've experienced no problems after installing these security updates. But it wouldn't be a bad idea to keep your eye on MacFixIt [10] and MacInTouch [11] for a couple of days.

In a Conficker/Downadup [12] world, it's better to be safe than sorry. ®