Apple releases Security Update 2006-008 for OS X.4.8

Apple Computer ^ | 12/19/2006 | Apple Computer

[Swordmaker]

About Security Update 2006-008

This document describes Security Update 2006-008, which can be downloaded and installed via Software Update preferences, or from Apple Downloads.

For the protection of our customers, Apple does not disclose, discuss, or confirm security issues until a full investigation has occurred and any necessary patches or releases are available. To learn more about Apple Product Security, see the Apple Product Security website.

For information about the Apple Product Security PGP Key, see "How to use the Apple Product Security PGP Key."

Where possible, CVE IDs are used to reference the vulnerabilities for further information.

To learn about other Security Updates, see "Apple Security Updates."

Security Update 2006-008

• QuickTime for Java, Quartz Composer

  CVE-ID: CVE-2006-5681

  Available for: Mac OS X v10.4.8, Mac OS X Server v10.4.8

  Impact: Visiting a malicious web site may lead to information disclosure

  Description: Java applets may use QuickTime for Java to obtain the images rendered on screen by embedded QuickTime objects and upload them to the originating web site. When this facility is used in conjunction with Quartz Composer, it becomes possible to capture images that may contain local information. This update addresses the issue by disallowing Quartz Composer compositions in unsigned Java applets. Quartz Composer compositions continue to function locally. Applications and signed Java applets that utilize QuickTime and QuickTime for Java are unaffected. This issue does not affect systems prior to Mac OS X v10.4. It also does not affect the Windows platform. Credit to Geoff Beier for reporting this issue.

[Swordmaker]

Time to select Software Update under the Big Blue Apple on the Menu bar.

Security Update 2006-008 for OS X.4.8 PING!

If you want on or off the Mac Ping List, Freepmail me.

[Sundog]

Got it installed.

Thanks.