Apple Patches More Holes

Apple has updates out for security problems in WebCore (Mac OS X's HTML layout engine) and WebKit, the application framework that serves as an underpinning for many Mac applications. The issue concerning Apple's WebKit browser engine, could make a Mac OS X application user vulnerable to attack if he or she were to visit a maliciously crafted site. Security Update 2007-006 takes care of an HTTP injection bug that occurs in WebCore's XMLHttpRequest when it's serializing headers into an HTTP request. The vulnerability can lead to cross-site scripting attacks if a victim is be lured to a maliciously crafted site. The WebCore issue affects Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS X v10.4.9 or later and Mac OS X Server v10.4.9 or later.

WebKit serves as an engine for the Safari browser as well as many other Mac OS X applications, including Dashboard and Mail. The problem with WebKit is an invalid type conversion when rendering frame sets, which can lead to memory corruption. Results range from the application quitting on up to a targeted system getting hijacked with arbitrary code execution. Apple's update for the WebKit glitch is available for Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS X v10.4.9 or later and Mac OS X Server v10.4.9 or later.

Download: Security Update 2007-006
News source: eWeek

Report a problem with article
Previous Story

AMD's Phenom Quad-Cores Pegged For November Debut

Next Story

Samsung joins 1.8-inch 64GB SSD club

12 Comments

Commenting is disabled on this article.

Well then, looks as though I've got my work cut out for me when August rolls around... I administer ~30 Macs and an XServe G5 running OS X 10.4.9, and at this rate, I'm gonna be spending about half an hour or so (maybe longer) deploying security updates to all the machines.

Figures... Apple comes out with major fixes or whatnot right after I cut my disk image for the new school year... just as always...

so what you are saying is macs have issues updating, i can rollout as many patches i want to my windows boxes in a couple of minutes

NeoTrunks said,
Odd that they release this fix to 10.4.9 after the release of 10.4.10. I'm already updated to the latest version.

If you read the article closely you will see that the bug itself was introduced with 10.4.9, and effects all versions since then (10.4.10). Also, bugs like this are most often fixed in Security Updates (aka 2007-00x) and not OS Updates.

backslash said,

If you read the article closely you will see that the bug itself was introduced with 10.4.9, and effects all versions since then (10.4.10). Also, bugs like this are most often fixed in Security Updates (aka 2007-00x) and not OS Updates.

This fix isn't available to me, at least not through Software Update. Maybe it was included in the update I got with the 10.4.10 package?

I apparently forgot to get 10.4.10 on this laptop when it first came out (I loaned it out last week) so the following screenshot shows that 2007-006 is independent of 10.4.10. I am not sure what you would do to check to see if its installed or how you would go about manually installing it. Maybe you managed to get 2007-006 and 10.4.10 together like I did (i.e. you didn't get 10.4.10 until after 2007-006 came out).

Screenshot

backslash said,
I apparently forgot to get 10.4.10 on this laptop when it first came out (I loaned it out last week) so the following screenshot shows that 2007-006 is independent of 10.4.10. I am not sure what you would do to check to see if its installed or how you would go about manually installing it. Maybe you managed to get 2007-006 and 10.4.10 together like I did (i.e. you didn't get 10.4.10 until after 2007-006 came out).

Screenshot

It looks like it may be included in the update, as I've never actually downloaded the separate security fix, and it's still not available to me. A good thing, I guess :).