Time to apply OS X patch 2006-003 [UPDATED]

The third ’06 security update for Mac OS X has been released.

This update fixes 25 separate vulnerabilities, including several issues related to zipped files and image files reported by Tom Ferris too.

The original security advisory from Apple is located at
Exploitation of many issues may lead to arbitrary code execution.

Some statistics:

Security Update 2006-001 – 15 issues
Security Update 2006-002 – 3 issues
Security Update 2006-003 – 25 issues

From the SANS Top 20 Spring Update:

2006 Spring Update on SANS Top 20 Internet Security Vulnerabilities Shows Marked Increase in Zero-Day Attacks and Growth in Attacks on Apple OS/X

It’s time to visit Apple Downloads site or use your Software Update feature.

UPDATE: I missed to include link to McAfee’s new white paper The New Apple of Malware’s Eye: Is Mac OS X the Next Windows? [PDF document, 6 p.]
UPDATE #2: According to Ferris’s new posting ‘All f the Safari flaws within the Apple OS X Safari 2.0.3 Multiple Vulnerabilities advisory are still unpatched. Additionally, ‘The core issue “ReadBMP ()” .bmp Heap Overflow has not been fixed’.

  • lazy joe

    Caution to those that are quick to judge, just because there is a rise in MacOS related vulnerabilities, doesn’t mean that the OS is insecure. Rather, after a long time that MacOS was not treated as a mainstream OS worth testing by security researchers, the focus has partily moved to it, causing an “on-flux” of advisories and vulnerabilities being discovered.

  • http://www.xyberpix.com xyberpix

    Another thing on the latest updates, read the Apple forums about the update before installing it. This update has caused a lot of people a load of pain, and has even lead to some re-installs.

  • HotDog

    On May 11th Apple released security update 2006-003 which did not fix all of the issues I had reported to them. All of the Safari flaws within the “Apple OS X Safari 2.0.3 Multiple Vulnerabilities” advisory are still unpatched.

    The core issue within advisory sp-x27 entitled “Apple OS X 10.4.6 “ReadBMP ()” .bmp Heap Overflow” has not been fixed. Security Update 2006-003 does prevent the crash when opening the original proof-of-concept file. But after slightly modifying that file, I was able to trigger the same issue with the latest security update installed

  • http://www.xyberpix.com xyberpix

    That’s really interesting, have you contacted Apple to find out why not at all? I’d be really interested to see their response.

  • http://networksecurity.typepad.com/ Juha-Matti

    Thanks HotDog for sharing this new information
    when I was late:-)