Apple has made four new security updates available on its website and the Software Update selection under the Apple menu on a Mac. The flaws in Mac OS X and iChat were identified by the Month of Apple Bugs project, which also included proof-of-concepts for the flaw, although attack code doesn’t appear to have surfaced. Apple has fixed several flaws identified during the course of January by the project, but some remain open.
Two of the flaws found in Finder and iChat could allow an attacker to execute code on an unpatched system, Apple said. There's a buffer overflow flaw in Finder that could allow an attacker to take control of a system by "enticing a user into mounting a malicious disk image," or tricking someone into enabling local access of a file supposedly stored on a remote server. The iChat patch fixes an issue in which a user could click on a malicious URL in a chat session and trigger an overflow, possibly opening the system to an attacker. The two other patches concern flaws that require a malicious local user. The first is in iChat again and could cause the application to crash while the second one is for a UserNotification flaw that could allow system files to be overwritten.