Security Update - June 7, 2004

[directX]

Security Update 2004-06-07 (Mac OS X 10.3.4 and 10.2.8 )

Description - Security Update 2004-06-07 delivers a number of security enhancements and is recommended for all Macintosh users. The purpose of this update is to increase security by alerting you when opening an application for the first time via document mappings or a web address (URL). Please see this article for more details, including a description of the new alert dialog box.

Versions: Security Update 2004-06-07 is available for the following system versions:
- Mac OS X v10.3.4 "Panther"
- Mac OS X Server v10.3.4 "Panther"
- Mac OS X v10.2.8 "Jaguar"
- Mac OS X Server v10.2.8 "Jaguar"

▪ Component: LaunchServices
CVE-ID: CAN-2004-0538
Impact: LaunchServices automatically registers applications, which could be used to cause the system to run unexpected applications.
Discussion: LaunchServices is a system component that discovers and opens applications. This system component has been modified to only open applications that have previously been explicitly run on the system. Attempts to run an application that has not previously been explicitly run will result in a user alert. Further information is available in this article.

▪ Component: DiskImageMounter
CVE-ID: No CVE ID has been reserved as this is only an additional preventative measure.
Impact: The disk:// URI type mounts an anonymous remote file system using the http protocol.
Discussion: The registration of the disk:// URI type is removed from the system as a preventative measure against attempts to automatically mount remote disk image file systems.

▪ Component: Safari
CVE-ID: CAN-2004-0539
Impact: The "Show in Finder" button would open certain downloaded files, in some cases executing downloaded applications.
Discussion: The "Show in Finder" button will now reveal files in a Finder window and will no longer attempt to open them. This modification is only available for Mac OS X v10.3.4 "Panther" and Mac OS X Server v10.3.4 "Panther" systems as the issue does not apply to Mac OS X v10.2.8 "Jaguar" or Mac OS X Server v10.2.8 "Jaguar".

▪ Component: Terminal
CVE-ID: Not applicable
Impact: Attempts to use a telnet:// URI with an alternate port number fail.
Discussion: A modification has been made to allow the specification of an alternate port number in a telnet:// URI. This restores functionality that was removed with the recent fix for CAN-2004-0485.

Mac OS X 10.3.4

▪ NFS: Fixes CAN-2004-0513 to improve logging when tracing system calls. Credit to David Brown <dave@spoonguard.org> for reporting this issue.
▪ LoginWindow: Fixes CAN-2004-0514 to improve the handling of directory services lookups.
▪ LoginWindow: Fixes CAN-2004-0515 to improve the handling of console log files. Credit to aaron@vtty.com for reporting this issue.
▪ Packaging: Fixes CAN-2004-0516 to improve package installation scripts. Credit to aaron@vtty.com for reporting this issue.
▪ Packaging: Fixes CAN-2004-0517 to improve the handling of process IDs during package installation. Credit to aaron@vtty.com for reporting this issue.
▪ TCP/IP: Fixes CAN-2004-0171 to improve the handling of out-of-sequence TCP packets.
▪ AppleFileServer: Fixes CAN-2004-0518 to improve the use of SSH and reporting errors.
▪ Terminal: Fixes CAN-2004-0485 to improve the handling of URLs. Credit to René Puls <rpuls@gmx.net> for reporting this issue.

Note: Mac OS X 10.3.4 includes Security Update 2004-04-05 and Security Update 2004-05-03.