Yesterday Apple released another security update. The update is pretty boring, which is a good thing. Security Update 2006-003 contains a wide number of minor, but still important security fixes. Unlike other updates this year, 2006-003 seems to have been simply part of Apple’s ongoing security operations, rather than (at least seemingly) a reaction to a particular issue in the field.
Most of the issues addressed in the update seem to have been uncovered by Apple itself (they tend to give credit to others when this is not the case). Many address the quite-theoretical possibility of “arbitrary code execution.” By specifically crafting a Web site or a file in a highly unusual, unanticipated way, it is often theoretically possible for a hacker to cause his own program to be run on the user’s machine, at which time that program can, again theoretically, take over the user’s machine. From a practical perspective, if someone were to go to all the work to find such a vulnerability and to specifically craft an “attack” against it, the worst that attack would probably do would be to crash the particular application (for instance Safari) that the user was running to access the Web site or file. Nonetheless, in this case it’s absolutely better to be safe than sorry, and it’s great to see Apple proactively searching for and fixing such vulnerabilities.
Even if it does seem awfully boring to the Rest of Us.
Friday, May 12, 2006