Apple yesterday released Security Update 2007-004 through Software Update. The following two lines from the release notes pretty well summarize the release:

1. • A local user may be able to execute arbitrary code with elevated privileges
   

2. • Cookies set by subdomains may be accessible to the parent domain
   

Say what?! Exactly. Security Updates have now gotten to the point where it’s pretty much impossible for the Rest of Us to have any clue about what’s going on. I guess that’s why we’re in business though, so here goes.

The first item, “A local user may be able to execute arbitrary code with elevated privileges” or its equivalent appears as the impact of 8 different fixes (there are 25 fixes total, or 20 if you count unique components fixed). It pretty much means if someone already has access to your Macintosh, they can do bad things to it if they really want to. No surprise there. But the harder it is for someone to do bad things (even if they already have access), the better, so that’s what these fixes are about.

The second item, “Cookies set by subdomains may be accessible to the parent domain” appears only once, but is indicative of most of the other fixes: (1) they’re impossible to understand, and (2) they really don’t matter to just about all of the Rest of Us. Not only does this fix not affect Mac OS X 10.4 at all, but, even on 10.3, it’s incredibly unlikely to be exploited, and even if it is, damage would usually be minimal. Most other fixes are similar, although perhaps slightly less obscure than this one (could anything be more obscure?).

Despite their confusing and obscure nature, as with most security fixes, you probably do want to install these, perhaps waiting a day or two to make sure they don’t break more than they fixed (which sites like ours will alert you to if so).

As a side note, the timing of this security update is a bit interesting, coming right at the start of the “Hack-a-Mac” contest at CanSecWest. Reportedly, the prize for breaking into a fully-updated MacBook is now $10,000 plus the MacBook, so that contest has gotten even more enticing, and definitely worth keeping an eye on.