Keynote 2.0.2: Security enhancements
This document describes the security enhancements included with the Keynote 2.0.2 update, which can be downloaded and installed using Software Update, or from Apple Downloads.
For the protection of our customers, Apple does not disclose, discuss, or confirm security issues until a full investigation has occurred, and any necessary patches or releases are available. To learn more about Apple Product Security, see the Apple Product Security website.
For information about the Apple Product Security PGP Key, see "How To Use The Apple Product Security PGP Key."
Where possible, CVE IDs are used to reference the vulnerabilities for further information.
To learn about other Security Updates, see "Apple Security Updates."
Keynote 2.0.2
CVE-ID: CAN-2005-1408
Available for: Keynote 2, Keynote 2.0.1
Impact: A maliciously modified Keynote presentation could be constructed to retrieve files from the local system.
Description: With a specially crafted Keynote presentation and the use of the "keynote:" URI handler, it is possible that local files could be read and then sent to an arbitrary network location. This issue has been addressed in two ways: References to external resources have been limited, and the registration of the "keynote:" URI handler has been removed. This issue does not affect Keynote versions prior to Keynote 2. Credit to David Remahl (www.remahl.se/david) for reporting this issue.