The Mac OS X v10.6.3 update, which is considered “critical,” covers flaws that could lead to remote code execution, information disclosure and denial-of-service attacks.
In some scenarios, a malicious hacker could take complete control of a Mac-powered machine if a user simply views a malicious image or movie file.
Microsoft has also been busy, with an out-of-cycle patch for Internet Explorer that fixes a hole being exploited by malware in the wild:
Here’s the full list of the patched vulnerabilities.
The Security Update 2010-002 / Mac OS X v10.6.3 may be obtained from the Software Update pane in System Preferences, or Apple’s Software Downloads web page.
If you run Internet Explorer - and you shouldn't if you have any choice - get the patch. Out of Cycle patches are because there's bad juju.
Microsoft released an emergency IE patch on Tuesday after deciding that a upswing in hacking attacks targeting a zero-day vulnerability in IE 6 and 7 couldn't wait for the next scheduled edition of Patch Tuesday, due on 13 April.
The cumulative IE update (MS10-018) released on Tuesday also fixes nine other security bugs in Microsoft's browser software. All versions of IE from 5.01 to 8.0, on client and servers, are vulnerable to varying degrees and need patching. Other than the blockbuster bug - which involves the iepeers.dll library and creates a handy mechanism to drop malware onto vulnerable systems - other flaws fixed by the release focus on memory corruption vulnerabilities, as explained in a post by the SANS Institute's Internet Storm Centre here.
Also, there's malware that disguises itself as an Adobe updater program:
Legitimate updates ALWAYS come from the vendor's web site (e.g. security.microsoft.com). You should treat ANY email saying there's an update as malware spam.
Nguyen Minh Duc, director of Bkis Security, writes that the recently detected Fakeupver trojan establishes a backdoor on compromised systems while camouflaging its presence by posing as an Adobe update utility. The malware camouflages itself by using the same icons and version number as the official package.
Variants of the malware also pose as updaters for Java and other software applications.
Busy security week, and the week's not half over.