Apple released a security update (http://docs.info.apple.com/article.html?artnum=303382) on Wednesday that fixes multiple vulnerabilities, including a critical flaw in its Safari web browser that created a means for hackers to attack vulnerable systems.

The security bug meant malicious hackers could rename "safe file" extensions stored in ZIP archives, creating a way to trick users into executing malicious shell scripts. The flaw meant malicious applications could appear as a safe file type. If Mac users had left the "Open safe files after downloading" option enabled in Safari then malware would automatically be executed as soon as a user was tricked into visiting a malicious-constructed website. Security researchers produced a proof of concept demo (http://www.us-cert.gov/current/current_activity.html#safarishell) to validate their concerns about the critical flaw.

Apple's update tackles the issue by performing additional download validation so that the user is warned (in Mac OS X v10.4.5) or downloads are not automatically opened (in Mac OS X v10.3.9). The update also addresses 19 other security bugs in Mac OS X involving security flaws in Safari, the PHP Apache module and scripting environment as well as Mail and iChat security bugs, as summarised by Secunia here (http://secunia.com/advisories/19064/).

The appearance of the Safari bug, along with a brace of low to no risk worms affecting Mac OS X, spawned a lively debate between Mac fans and security vendors over the impact of the security flap, which disinterested observers judged (http://www.theregister.co.uk/2006/02/27/apple_security_threats_a_reality) to be largely academic. ®

Related stories

Unpatched bug bites QuickTime (3 January 2007)
http://www.theregister.co.uk/2007/01/03/quicktime_vuln/
Apple updates to defend against OS, app and QuickTime flaws (15 May 2006)
http://www.theregister.co.uk/2006/05/15/apple_update/
Apple releases Mac OS X 10.4.6 update (4 April 2006)
http://www.reghardware.co.uk/2006/04/04/apple_updates_macosx/
Microsoft sets Apple straight on security (23 March 2006)
http://www.theregister.co.uk/2006/03/23/microsoft_apple_security/
Plug pulled on Mac hacking challenge (9 March 2006)
http://www.theregister.co.uk/2006/03/09/mac_hacking_challenge/
Triple threat to Mac OS X largely academic (27 February 2006)
http://www.theregister.co.uk/2006/02/27/apple_security_threats_a_reality/
Sophos in Mac OS X worm false alarm (23 February 2006)
http://www.theregister.co.uk/2006/02/23/sophos_false_positive/
Unpatched Mac OS X hole poses critical risk (22 February 2006)
http://www.reghardware.co.uk/2006/02/22/macosx_vuln/
Mac OS X malware latches onto Bluetooth vulnerability (17 February 2006)
http://www.theregister.co.uk/2006/02/17/macosx_bluetooth_worm/
'First' Mac OS X Trojan sighted (16 February 2006)
http://www.theregister.co.uk/2006/02/16/mac_os-x_virus/
Apple bitten by iTunes security bugs (11 January 2006)
http://www.reghardware.co.uk/2006/01/11/itunes_vulns/