Responding to several well-publicized security issues that raised eyebrows within the IT world, Apple on Wednesday issued its first security update of the year.
The update for OS X patched 20 flaws, including a critical vulnerability that allows an attacker to run arbitrary code when a user visits a malicious website through the Safari browser. The shell script is renamed to be a safe file stored in a ZIP archive.
The proof-of-concept exploit – discovered last week – is made possible by a user enabling the "open safe files after downloading" option in the Safari browser.
According to the security update, users now either will be warned about the malicious code – or the download will not automatically open.
The update also provided a "security enhancement" for the first Mac OS X virus, Leap.A. The worm spreads via the iChat instant messaging system, forwarding itself as a file called latestpics.tgz to contacts on the infected users' buddy list.
iChat now uses "download validation to warn of unknown or unsafe file types during file transfers," Apple said in the security update.
The update also plugged four other Safari holes that could allow abitrary code execution, four flaws in Apples' web-scripting language and two vulnerabilities in its Directory Services, which could lead to privilege escalation.
Some expressed surprise over the latest viruses and vulnerabities, considering the Mac OS has a long-standing reputation for saftey. However, experts warned users to download all security updates, reminding them that no operating system is invincible from attacks.
The latest Apple updates can be installed through Software Update preferences on Mac OS X.
An Apple spokesperson did not return telephone calls seeking comment.
