Apple has released a fix for a critical security bug in iChat, its instant-messaging program, just a few days after an update that fixed 15 Mac OS X security flaws. Security researchers also expanded their assessment of the impact of a Linux graphics vulnerability.
Thursday's Security Update 2004-09-16 fixes a bug in iChat 1 and 2 that could allow an attacker to run malicious code on a victim's PC. According to a warning from Danish security firm Secunia, the application doesn't sufficiently validate links before opening them, meaning an attacker could launch programs by embedding references to local resources in a message.
Earlier this month Apple patched 15 flaws in OS X, including serious ones such as a vulnerability in Kerberos. That patch fixed bugs in Apache 2, IPSec, rsync and other open-source components, as well as in Apple applications such as the Safari browser.
On Friday, Secunia released a second advisory for a bug affecting applications that handle XPM images. Initially researchers had warned of XPM-related flaws in the libXpm library, but Secunia also alerted users that the same vulnerability also affects XFree86. Suse Linux and MandrakeSoft have issued patches for XFree86 that solve the problem.
A number of serious flaws related to image-handling components have surfaced recently. Last week, the Mozilla Foundation last week fixed a problem involving bitmap images, while Microsoft patched a serious vulnerability in decoding JPEG images. Earlier image-related security holes were patched in the imlib library earlier this month, in Qt in August, and in Internet Explorer in August.
Other recent Linux flaws have included a denial-of-service bug in Samba, revealed last week, and a bug in Kerberos at the beginning of September, which also affected other operating systems. Linux kernel flaws were discovered in February and June.
Microsoft has had several major bugs to cope with over the summer, including a drag-and-drop problem with Internet Explorer in August, and other browser bugs in June and July.
May was Apple's month to suffer, with unspecified, highly critical flaws coming to light at the beginning of that month, followed by problems with URI handling later in the month. along with much criticism of Apple's handling of security problems.