Just as we were about to wrap this issue, including a brief bit about an update to Paranoid Android - Unsanity's hack for warning the user about the launching of unknown URL schemes - Apple released Security Update 2004-06-07, which claims to fix all of the recently identified security vulnerabilities in Mac OS X (see our articles on the topic in TidBITS-731 for full details on what was broken).

<http://db.tidbits.com/article/07679>
<http://db.tidbits.com/article/07680>
<http://www.unsanity.com/haxies/pa/>

In short, the security update revises Launch Services so it alerts the user to applications that have not been explicitly launched before (with a dialog along the lines of the one Paranoid Android puts up). It also removes the registration of the disk URL scheme so disk images accessed via disk URLs no longer mount automatically. A change to Safari eliminates a feature that could open certain downloaded files when the Show in Finder button was clicked. And lastly, an unrelated fix enables telnet URLs to have port numbers specified with them again; that functionality had been removed by a previous security update. See Apple's articles on the topic for more details and a look at the new alert.

<http://docs.info.apple.com/article.html? artnum=61798>
<http://docs.info.apple.com/article.html? artnum=25785>

Security Update 2004-06-07 is available via Software Update; it's also available as a 900K standalone download for both Mac OS X 10.3.4 and Mac OS X 10.2.8.

<http://www.apple.com/support/downloads/ securityupdate_2004-06-07_(_10_3_4).html>
<http://www.apple.com/support/downloads/ securityupdate_2004-06-07_(_10_2_8).html>

Needless to say, we haven't had time to evaluate how well Apple's fixes work or if they cause any other problems, but we'll be tracking user reports on TidBITS Talk and other forums in the upcoming week.