Apple has released the latest update to Mac OS X 10.6, Snow Leopard, including in it security fixes for dozens of flaws, bugs and vulnerabilities. The 10.6.2 update, which ranges in size from 157 MB for some Macs (via Software Update) to 473 MB (from Apple’s downloads page), includes a number of fixes and optimizations for the operating system. It also includes fixes for 58 security issues.
Notable in this update is a fix for the Guest account data loss bug. We discussed this in September and again in October. This serious bug caused people to lose all the data in their home folders after they logged into the Guest account, in certain circumstances. Interestingly, Apple lists this not as a security fix, but as a general operating fix:
• an issue that caused data to be deleted when using a guest account
However, one security fix in this update addresses an issue that is somewhat related to the Guest account:
A race [sic] condition exists in Login Window. If an account on the system has no password, such as the Guest account, a user may log in to any account without supplying a password.
Other security fixes include a number of updates to the Apache web server, the usual fixes for “maliciously crafted” images or movies that can lead to “unexpected application termination or arbitrary code execution,” and even this issue with Dictionary:
A design issue in Dictionary allows maliciously crafted Javascript to write arbitrary data to arbitary locations on the user’s filesystem.
One thing Apple hasn’t changed is the malware signature file that it uses for its limited malware protection feature (discussed here).
You can get full information about this security update
You can download the Mac OS X 10.6.2 update via Software Update or from Apple’s Downloads page. Updates are also available for Mac OS X Server. Full information about this update is available here.
Security Update 2009-006 is also available for Mac OS X 10.5, and it’s worth noting that Apple has not issued a similar security update for Mac OS X 10.4 Tiger. It seems that Apple has ended its support for Tiger, and will no longer be providing even security fixes for that version of Mac OS X.
