This document describes the security content of the Mac OS X 10.4.1 Update, which can be downloaded and installed via Software Update preferences, or from Apple Downloads.
For the protection of our customers, Apple does not disclose, discuss, or confirm security issues until a full investigation has occurred and any necessary patches or releases are available. To learn more about Apple Product Security, see the Apple Product Security website.
For information about the Apple Product Security PGP Key, see "How To Use The Apple Product Security PGP Key."
Where possible, CVE IDs are used to reference the vulnerabilities for further information.
To learn about other Security Updates, see "Apple Security Updates."
Available for: Mac OS X v10.4, Mac OS X Server v10.4
CVE-ID: CAN-2005-1333
Impact: Directory traversal via Bluetooth file and object exchange
Description: Due to insufficient input checking, the Bluetooth file and object exchange services could be used to access files outside of the default file exchange directory. This update addresses the issue by adding enhanced filtering for path-delimiting characters. Credit to kf_lists[at]digitalmunition[dot]com for reporting this issue.
CVE-ID: CAN-2005-1474
Available for: Mac OS X v10.4, Mac OS X Server v10.4
Impact: Malicious websites can download and install widgets via Safari without the Safe Download Validation warning
Description: This update blocks the automatic installation of Dashboard widgets. Mac OS X's Safe Download Validation warning is enabled, requiring user approval before a Dashboard widget is installed by Safari. This issue does not affect Mac OS X versions prior to 10.4. Further information on removing Dashboard widgets that you have installed is available here.
CVE-ID: CAN-2005-1472
Available for:Mac OS X v10.4, Mac OS X Server v10.4
Impact:Users can discover the names of files placed in normally unsearchable places
Description:Two system calls designed to allow efficient searching of filesystem objects incorrectly checked the permissions on enclosing directories and would reveal the names of files. The incorrect checking only occurred for directories without the POSIX read, but with the POSIX execute bits set for group and other. In practice this issue only affects files stored in users ~/Public/Drop Box. This update addresses the issue by correctly honoring the POSIX permission bits on directories. Credit to John M. Glenn of San Francisco for reporting this issue.
Available for: Mac OS X v10.4, Mac OS X Server v10.4
CVE ID: CAN-2005-0974 CERT: VU#713614
Impact: Local system users can cause a local denial of service
Description: A vulnerability in the nfs_mount() call due to insufficient checks on input values could allow unprivileged local users to create a denial of service via a kernel panic.
CVE-ID: CAN-2005-1473
Available for: Mac OS X v10.4, Mac OS X Server v10.4
Impact: Users with physical access to a system with a locked screensaver can start background applications
Description: A contextual menu feature in Mac OS X 10.4 allows URLs to be opened from a text input field. This could be used to launch an application behind a locked screensaver window. This update addresses the issue by removing the contextual menu from screensaver text input fields.