Apple today released Security Update 2006-001 which is recommended for all users (Mac OS X 10.3.9, Mac OS X 10.4.5)


• apache_mod_php
• automount
• Bom
• Directory Services
• iChat: A malicious application named Leap.A that attempts to propagate using iChat has been detected. With this update for Mac OS X v10.4.5 and Mac OS X Server v10.4.5, iChat now uses Download Validation to warn of unknown or unsafe file types during file transfers.
• IPSec
• LaunchServices
• LibSystem
• loginwindow
• Mail: n Mac OS X v10.4 Tiger, when an email attachment is double-clicked in Mail, Download Validation is used to warn the user if the file type is not "safe". Certain techniques can be used to disguise the file's type so that Download Validation is bypassed. This update addresses the issue by presenting Download Validation with the entire file, providing more information for Download Validation to detect unknown or unsafe file types in attachments.
• rsync
• Safari: It is possible to construct a file which appears to be a safe file type, such as an image or movie, but is actually an application. When the "Open `safe' files after downloading" option is enabled in Safari's General preferences, visiting a malicious web site may result in the automatic download and execution of such a file. A proof-of-concept has been detected on public web sites that demonstrates the automatic execution of shell scripts. This update addresses the issue by performing additional download validation so that the user is warned (in Mac OS X v10.4.5) or the download is not automatically opened (in Mac OS X v10.3.9). (More fixes in linked article below.)
• Safari, LaunchServices: Impact: Viewing a malicious web site may result in arbitrary code execution. Description: It is possible to construct a file which appears to be a safe file type, such as an image or movie, but is actually an application. When the "Open `safe' files after downloading" option is enabled in Safari's General preferences, visiting a malicious web site may result in the automatic download and execution of such a file. A proof-of-concept has been detected on public web sites that demonstrates the automatic execution of shell scripts. This update addresses the issue by performing additional download validation so that the user is warned (in Mac OS X v10.4.5) or the download is not automatically opened (in Mac OS X v10.3.9).
• Syndication

The Update is available via Software Update. Detailed information on this Update here:

http://docs.info.apple.com/article.html?artnum=303382

Note: For those who've moved their Terminal app out of /Applications/Utilities, you can put it back now after updating.

For the Safari exploit, the safe online demonstration provided by Heise Security that you can use to determine whether your system is affected is included in the article here:

http://www.heise.de/english/newsticker/news/69862

(Updated systems will display a dialog stating: "'Heise.jpg' may contain an application. The safety of this file cannot be determined. Are you sure you want to download 'Heise.jpg'?" Users should simply cancel the download).

Also updates Re:

· Apple iPhoto 6.0.2 (Mac OS X)
· Apple iTunes 6.0.4 (Mac OS X)
· Apple Front Row 1.2.1 (Mac OS X)

available via Software Update.

Security Update 2006-002 Mac OS X 10.4.5 (PPC)

http://www.apple.com/support/downloa...sx1045ppc.html

Apple today released Security Update 2006-002 v1.1 which "improves security and reliability and is recommended for all users." Security Update 2006-002 v1.1's notes describe the same updated components as Security Update 2006-002: apache_mod_php, CoreTypes, LaunchServices, Mail, rsync, and Safari, but is now version 1.1. Additional information is not yet available and the update is not yet available via Software Update.