Keynote 2.0.2: Security enhancements

This document describes the security enhancements included with the Keynote 2.0.2 update, which can be downloaded and installed using Software Update, or from Apple Downloads.

For the protection of our customers, Apple does not disclose, discuss or confirm security issues until a full investigation has occurred and any necessary patches or releases are available. To find out more about Apple Product Security, see the Apple Product Security website.

For information about the Apple Product Security PGP Key, see “How to use the Apple Product Security PGP Key”.

Where possible, CVE IDs are used to reference the vulnerabilities for further information.

To find out more about other Security Updates, see "Apple Security Updates".

Keynote 2.0.2

CVE-ID: CAN-2005-1408

Available for: Keynote 2, Keynote 2.0.1

Impact: A maliciously modified Keynote presentation could be constructed to retrieve files from the local system.

Description: With a specially crafted Keynote presentation and the use of the “keynote:” RI handler, it is possible that local files could be read and then sent to an arbitrary network location. This issue has been addressed in two ways: References to external resources have been limited, and the registration of the “keynote:” URI handler has been removed. This issue does not affect Keynote versions prior to Keynote 2. Credit to David Remahl (www.remahl.se/david) for reporting this issue.

Published Date: