This document describes Security Update 2006-002, which can be downloaded and installed via Software Update preferences, or from Apple Downloads.

For the protection of our customers, Apple does not disclose, discuss, or confirm security issues until a full investigation has occurred and any necessary patches or releases are available. To learn more about Apple Product Security, see the Apple Product Security website.

For information about the Apple Product Security PGP Key, see "How to use the Apple Product Security PGP Key."

Where possible, CVE IDs are used to reference the vulnerabilities for further information.

To learn about other Security Updates, see "Apple Security Updates."

Note: Security Update 2006-002 v1.1 was released to address an issue in which Safari was not updated by v1.0 if it had been moved from its default location in the Applications folder. This article describes the steps to follow if Safari is not located in the Applications folder.

If Safari is located in the Applications folder, Security Update 2006-002 is sufficient, and there is no need to install Security Update 2006-002 v1.1.

Security Update 2006-002

• CoreTypes

  CVE-ID: CVE-2006-0400

  Available for: Mac OS X v10.4.5, Mac OS X Server v10.4.5

  Impact: Remote web sites can cause JavaScript to bypass the same-origin policy

  Description: When documents containing Javascript are loaded from a remote site, data access is restricted by the same-origin policy. However, under certain situations, maliciously-crafted archives can cause these restrictions to be bypassed. This update addresses the issue by flagging these documents as unsafe.

• Mail

  CVE-ID: CVE-2006-0396

  Available for: Mac OS X v10.4.5, Mac OS X Server v10.4.5

  Impact: Double-clicking an attachment in Mail may result in arbitrary code execution

  Description: By preparing a specially-crafted email message with attachments, and enticing a user to double-click on that attachment within Mail, an attacker may trigger a buffer overflow. This could result in the execution of arbitrary code with the privileges of the user running Mail. This update addresses the issue by performing additional bounds checking. This issue does not affect systems prior to Mac OS X v10.4. Credit to Kevin Finisterre of DigitalMunition for reporting this issue.

• Safari, LaunchServices, CoreTypes

  CVE-ID: CVE-2006-0397, CVE-2006-0398, CVE-2006-0399

  Available for: Mac OS X v10.4.5, Mac OS X Server v10.4.5

  Impact: Viewing a malicious web site may result in arbitrary code execution

  Description: Security Update 2006-001 addressed an issue where Safari could automatically open a file which appears to be a safe file type, such as an image or movie, but is actually an application. This update provides additional checks to identify variations of the malicious file types addressed in Security Update 2006-001 so that they are not automatically opened. This issue does not affect systems prior to Mac OS X v10.4. Credit to Will Dormann of CERT/CC and Andris Baumberger for reporting several of these issues.

The following non-security issues introduced by Security Update 2006-001 are also addressed by this update:

• Download Validation: Security Update 2006-001 could cause the user to be warned when provided with certain safe file types, such as Word documents, and folders containing custom icons. These unneeded warnings are removed with this update.

• apache_mod_php: A regression in PHP 4.4.1 that could prevent SquirrelMail from functioning is corrected with this update.

• rsync: A regression in rsync that prevented the "--delete" command line option from functioning is corrected with this update.