Apple released a security update on Wednesday that fixes multiple vulnerabilities, including a critical flaw in its Safari web browser that created a means for hackers to attack vulnerable systems.

The security bug meant malicious hackers could rename "safe file" extensions stored in ZIP archives, creating a way to trick users into executing malicious shell scripts. The flaw meant malicious applications could appear as a safe file type. If Mac users had left the "Open safe files after downloading" option enabled in Safari then malware would automatically be executed as soon as a user was tricked into visiting a malicious-constructed website. Security researchers produced a proof of concept demo to validate their concerns about the critical flaw.

The appearance of the Safari bug, along with a brace of low to no risk worms affecting Mac OS X, spawned a lively debate between Mac fans and security vendors over the impact of the security flap, which disinterested observers judged to be largely academic. ®

Related stories

• Unpatched bug bites QuickTime (3 January 2007)
• Apple updates to defend against OS, app and QuickTime flaws (15 May 2006)
• Apple releases Mac OS X 10.4.6 update (4 April 2006)
• Microsoft sets Apple straight on security (23 March 2006)
• Plug pulled on Mac hacking challenge (9 March 2006)
• Triple threat to Mac OS X largely academic (27 February 2006)
• Sophos in Mac OS X worm false alarm (23 February 2006)
• Unpatched Mac OS X hole poses critical risk (22 February 2006)
• Mac OS X malware latches onto Bluetooth vulnerability (17 February 2006)
• 'First' Mac OS X Trojan sighted (16 February 2006)
• Apple bitten by iTunes security bugs (11 January 2006)