March hasn't been a particularly good month for Apple from a security standpoint. Mac users are now being treated to their second patch update in fewer than two weeks, and according to one security research firm, there are still unresolved issues.
One issue was a fix for a zero-day exploit that left Safari users at risk from malicious sites that could have automatically downloaded arbitrary code onto a Mac.
The 2006-002 update, according to Apple's advisory, "provides additional checks to identify variations of the malicious file types addressed in Security Update 2006-001 so that they are not automatically opened."
The new update also fixes a download validation issue introduced in the 2006-001 update.
Apparently a user could have been erroneously warned about safe file types that had custom icons. Such false positives could have been reported for safe Word documents among others.
Rsync and apache_mod_php are also fixed in the release from the 2006-001 update versions due to regression issues that created some functionality issues.
The 2006-002 update includes fixes for new issues, as well. A fix for CVE-ID: CVE-2006-0396 corrects an issue that could have allowed a maliciously crafted Mail attachment to trigger a buffer overflow.
An included fix for CVE-ID: CVE-2006-0400 addresses an issue that could have enabled a malicious remote Web site to bypass the same-origin policy, which is supposed to restrict JavaScript data access.
The aggregate criticality of the vulnerabilities disclosed in Apple's 2006-002 update, according to security firm Secunia, is "highly critical."
The update also does not apparently patch all outstanding publicly reported issues that Apple has, either. Security firm eEye has claimed that iTunes and QuickTime are at risk from a pair of as yet unpatched vulnerabilities.
"As far as we know, this update does not address our issues," Steve Manzuik, eEye security product manager, told internetnews.com.
