Speaking of Steve's fireside chat at D: All Things Digital (and other stuff we didn't get to mention yesterday), it was there that he broke the news that Apple would be posting another security patch before the day was through-- and sure enough, Security Update 2004-06-07 first started materializing in Software Update late yesterday afternoon. It's svelte (less than a megabyte) but powerful; according to Steve, this update will finally close those heinous holes which Apple's first attempt at a fix left wide open. "If at first you don't succeed," and all that crap.

Being both paranoid enough about Apple software updates to worry that the cure might be worse than the disease and too lazy to bother clicking a button ("oh... it's all the way over there"), we haven't yet installed the update, instead preferring to watch others go first just to see if they burst into flame or anything. It sounds like it takes the right approach to sew up those URI holes, though: "Mac OS X will now present an approval alert when an application is to be run for the first time either by opening a document or clicking on a URL related to the application." Meaning, it should be a lot tougher for technojerks with too much time on their hands to slap together web pages capable of automatically deleting all your iTMS purchases without even bothering to ask you if you'd mind.

Oh, and this is kind of cool, too: presumably in response to complaints that its communication about security issues was a little bit lacking (e.g. "There were problems; this fixes them"), there's some pretty detailed info about exactly what this latest security update does, including "Impact," "Discussion," "Further Information," and links to entries at Common Vulnerabilities and Exposures for each applicable fix. Plus there's a whole separate page that does a pretty nice job describing the problem with applications automatically being launched, and shows the new warning dialog intended to protect you. "You want communication? We gotcher communication right here, buddy."

You may recall that there was also some criticism that Apple took months 'n' months to patch the hole, having been told about it in February but not having worked on a fix until the guy who found the vulnerability went public with it last month. Well, at his D:chat Steve admitted that the company knew about part of the problem in February, but claimed it didn't realize the seriousness of the hole until it found out about the second part just three weeks ago. And three weeks isn't all that poor a turnaround time, right?

Assuming, of course, that this update actually fixes the problem. It's been twenty-four hours and we haven't seen any definitive reports to the contrary, but The Register claims that even after applying the update to a 10.3.4 test system, it was still susceptible to Unsanity's test exploits. Just an isolated fluke? Several people have told us (and several more have told The Reg) that the update blocked the exact same test exploits for them, so yeah, probably. But hey, if it wasn't, what's yet another security update between friends?