site_archiver@lists.apple.com Delivered-To: security-announce@lists.apple.com -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 APPLE-SA-2006-12-19 Security Update 2006-008 Security Update 2006-008 is now available and provides a fix for the following security issue: QuickTime for Java Quartz Composer CVE-ID: CVE-2006-5681 Available for: Mac OS X v10.4.8, Mac OS X Server v10.4.8 Impact: Visiting a malicious web site may lead to information disclosure Description: Java applets may use QuickTime for Java to obtain the images rendered on screen by embedded QuickTime objects and upload them to the originating web site. When this facility is used in conjunction with Quartz Composer, it becomes possible to capture images that may contain local information. This update addresses the issue by disallowing Quartz Composer compositions in unsigned Java applets. Quartz Composer compositions continue to function locally. Applications and signed Java applets that utilize QuickTime and QuickTime for Java are unaffected. This issue does not affect systems prior to Mac OS X v10.4. It also does not affect the Windows platform. Credit to Geoff Beier for reporting this issue. Security Update 2006-008 may be obtained from the Software Update pane in System Preferences, or Apple's Software Downloads web site: http://www.apple.com/support/downloads/ For Mac OS X v10.4.8 (PowerPC) The download file is named: "SecUpd2006-008Ti.dmg" Its SHA-1 digest is: 32af5ee777a3672117db7b6e9d5c96884c7b6bde For Mac OS X v10.4.8 (Intel) The download file is named: "SecUpd2006-008Univ.dmg" Its SHA-1 digest is: 08f2353b65540d94abf6a0b905442af825318409 This message is signed with Apple's Product Security PGP key, and details are available at: http://www.apple.com/support/security/pgp/ -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.0.3 (Build 2932) iQEVAwUBRYgy44mzP5/bU5rtAQhSPwf/TiodCGyM0G7SxqkxN1yNyvb8rVbUmead 6AlpYIPeBCzfErfBlGJYu3Y77GogWQjLhqcl4JghrkJw4Bs3z+/+HPtHHakGjLw7 t4xdHcnINEuzghA9rHveoTrV4htX4RnZBfGYHN3MaN4VAt+JZGqVXbltSVu6J0LB BkXkOhTi+QrEbYK4rqNTu/G+hGvnLtC2di/1EDjLKCG0Hn+8QqA4zMakJGFm8wpi /nUZ6uuLv/YDpjgpoVunufWfqk2fnHKGi9pgcS9RiyaTJVEoa75NKbQfWjU2JdH1 KDnhA39FQ9PzjMdn3KJdFCRwYBR+QMSO91dVoJQJB+8SABkZYpOLDA== =Zs9R -----END PGP SIGNATURE----- _______________________________________________ Do not post admin requests to the list. They will be ignored. Security-announce mailing list (Security-announce@lists.apple.com) Help/Unsubscribe/Update your Subscription: http://lists.apple.com/mailman/options/security-announce/site_archiver%40lis... This email sent to site_archiver@lists.apple.com