The script, released Monday, tackles a pernicious phishing problem in browsers. The loophole could allow an attacker to use certain characters from different languages to create legitimate-looking Web addresses that actually send victims to malicious Web sites. The security problem affected all browsers that supported Internationalized Domain Names, or IDN, and is not Apple-specific.
Have you been phished?
"For example, the Cyrillic letter 'a' could be used in place of the Latin letter 'a,' making it difficult for a user to tell if they are at www.apple.com or a malicious imposter website that's designed to look like the real one," the company said in an advisory discussing the problem. "These sites can be used to collect account numbers, passwords and other personal information."
Other browsers affected by the IDN security issue include the Mozilla Foundation's Mozilla and Firefox, and Opera. Both Mozilla and Opera Software have issued fixes for the problem. Microsoft's Internet Explorer does not support IDN, so it is not vulnerable to such attacks. However, plug-ins that add IDN functionality to Internet Explorer do put it at risk.
The newly released patches take care of flaws in the Apple Filing Protocol server and the Samba filing-sharing server, as well as multiple issues with the Cyrus authentication software, Mailman, SquirrelMail and Cyrus mail software.
The patches can be downloaded from Apple's Web site or automatically installed via Apple's Software Update tool.
