MacMegasite

Apple has released the Mac OS X 10.5.6 update, now available via the Software Update panel. A fairly complete release note is available at http://support.apple.com/kb/HT3194

The many changes in 10.5.6 include:

Address Book

• Improves reliability of Address Book syncing with iPhone and other devices and applications.

AirPort

• Improves the reliability of AirPort connections, including improvements when roaming in large wireless networks with an Intel-based Mac.

Client management

• Improves reliability of synchronizing files on a portable home directory.
• Fixes an issue in Mac OS X 10.5.4 and 10.5.5 in which managed users may not see printers that use the Generic PPD.
• Client computers that use UUID-based ByHost preferences now respect managed Screen Saver settings.

iChat

• Addresses an issue that could cause an encryption alert to appear in the chat window.
• Setting your iChat status to “invisible” via AppleScript no longer logs you out of iChat.
• Resolves an issue in which pasting text from a Microsoft Office document could insert an image rather than text.

Graphics

• Includes general improvements to gaming performance.
• Includes graphics improvements for iChat, Cover Flow, Aperture, and iTunes.
• Includes fixes for possible graphics distortion issues with certain ATI graphics cards.

Mail

• Includes overall performance and reliability fixes.
• Improves Connection Doctor accuracy.
• Fixes an issue that could cause messages identified as junk to remain in the inbox.
• Fixes an issue that could cause Mail to append a character to the file extension of an attachment.
• Addresses an issue that could prevent Mail from quitting.
• Improves reliability when printing PDF attachments.

MobileMe

• Contacts, calendars, and bookmarks on a Mac automatically sync within a minute of the change being made on the computer, another device, or the web at me.com.

Networking

• Improves Apple File Service performance, especially when using a home directory hosted on an AFP server. Important: If you are using Mac OS X 10.5.6 (client) to connect to a Mac OS X Server 10.4-based server, it is strongly recommended that you update the server to Mac OS X Server version 10.4.11.
• Improves the performance and reliability of TCP connections.
• Improves reliability and performance for AT&T 3G cards.
• Updates the ssh Terminal command for compatibility with more ssh servers.

Printing

• Improves printing for the Adobe CS3 application suite.
• Improves printing for USB-based Brother and Canon printers.

Parental Controls

• Addresses an issue in which a parentally-controlled account could be unable to access the iTunes Store.
• Includes general fixes for time limits.
• Resolves an issue that prevented adding allowed websites from Safari via drag and drop.

Time Machine

• Fixes issues that could cause Time Machine to state the backup volume could not be found.
• Improves Time Machine reliability with Time Capsule.

Safari

• Improves compatibility with web proxy servers.

General

• Includes Mac OS X security improvements. See this website for more information.
• Addresses inaccuracies with Calculator when the Mac OS X language is set to German or Swiss German.
• Improves the performance and reliability of Chess.
• Improves DVD Player performance and reliability.
• Performance improvements for iCal are included.
• Fixes an issue when running the New iCal Events Automator action as an applet.
• Adds a Trackpad System Preference pane for portable Macs.
• Improves compatibility with smart cards such as the U.S. Department of Defense Common Access Card.
• Updates time zone data and Daylight Saving Time rules for several countries.

Just a couple of weeks after getting a MacBook for his wife, David Alison discusses some of the challenges his wife has had in making the switch from Windows.

Eight months after David Alison switched from Windows to Mac he has created a list of the 26 Mac applications he finds himself using nearly every day.

What does it take to set up a Time Capsule? David Alison walks through buying a refurbished Time Capsule from Apple (which saved $50) and setting it up in today’s blog post.

Now that David Alison has made the switch from Windows to Mac he’s about to embark on getting his wife, a high school teacher, switched over as well. The first step is getting her a refurbished MacBook, which he details in today’s blog post.

David Alison finally pulled the trigger and ordered a MacBook for his wife, a birthday gift that will replace a rapidly aging HP laptop.

If you spend any time at all in the Terminal / Bash shell, it pays to master some of the shortcuts that will help you be more productive. David Alison lists a couple of the ones he uses all the time in today’s blog post.

In today’s blog post David Alison walks through some of the things he’s done to detach the external mouse from his MacBook Pro and still be very productive.

VMWare Fusion 2.0 beta 2 is out and it lets you run Mac OS X Server (not client) in a virtual machine. This is especially useful for software developers, since it gives you another machine for testing, plus you can use the snapshot feature to revert to an earlier state if you mess things up badly.

It took some work and I ran into a few difficulties, but I finally maaged to get it working.

Although I don’t have a Server license, Apple makes it available to Apple Developer Connection members, so I was able to download the disk image from the ADC member site.

If you try to install directly from the Leopard Server DVD image, you’ll find that VMWare doesn’t let you choose a .dmg file. To get around that, open the image in Disk Utility and convert to DVD/CDR Master. VMWare will then let you install from the resulting .cdr image.

If you try to use the default settings for the virtual machine, the installation will fail. VMWare has posted instructions for successfully installing Mac OS X Server. The important thing is to customize the VM settings, remove the IDE hard drive and add a 30GB SCSI hard drive.

When you start the installation, the installer won’t find any drives to install the operating system, so you’ll have to open Disk Utility in the VM and erase the virtual drive. Once you do that, the installation will proceed smoothly.

Uploaded with plasq’s Skitch!

Apple has released a new security update which fixes several critical vulnerabilities, including the widely publicized DNS flaw. Security Update 2008-005 is now available via Software Update and is recommended for all users.

The complete list of fixes includes:

[B]Open Scripting Architecture[/B]

CVE-ID: CVE-2008-2830

[B]Impact[/B]: A local user may execute commands with elevated privileges

[B]Description[/B]: A design issue exists in the Open Scripting Architecture libraries when determining whether to load scripting addition plugins into applications running with elevated privileges. Sending scripting addition commands to a privileged application may allow the execution of arbitrary code with those privileges. This update addresses the issue by not loading scripting addition plugins into applications running with system privileges. The recently reported ARDAgent and SecurityAgent issues are addressed by this update. Credit to Charles Srstka for reporting this issue.

[B]BIND[/B]

CVE-ID: CVE-2008-1447

[B]Impact[/B]: BIND is susceptible to DNS cache poisoning and may return forged information

[B]Description[/B]: The Berkeley Internet Name Domain (BIND) server is distributed with Mac OS X, and is not enabled by default. When enabled, the BIND server provides translation between host names and IP addresses. A weakness in the DNS protocol may allow remote attackers to perform DNS cache poisoning attacks. As a result, systems that rely on the BIND server for DNS may receive forged information. This update addresses the issue by implementing source port randomization to improve resilience against cache poisoning attacks. For Mac OS X v10.4.11 systems, BIND is updated to version 9.3.5-P1. For Mac OS X v10.5.4 systems, BIND is updated to version 9.4.2-P1. Credit to Dan Kaminsky of IOActive for reporting this issue.

[B]CarbonCore[/B]

CVE-ID: CVE-2008-2320

[B]Impact[/B]: Processing long filenames may lead to an unexpected application termination or arbitrary code execution

[B]Description[/B]: A stack buffer overflow exists in the handling of long filenames. Processing long filenames may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue through improved bounds checking. Credit to Thomas Raffetseder of the International Secure Systems Lab and Sergio ’shadown’ Alvarez of n.runs AG for reporting this issue.

[B]CoreGraphics[/B]

CVE-ID: CVE-2008-2321

[B]Impact[/B]: Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution

[B]Description[/B]: CoreGraphics contains memory corruption issues in the processing of arguments. Passing untrusted input to CoreGraphics via an application, such as a web browser, may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue through improved bounds checking. Credit to Michal Zalewski of Google for reporting this issue.

[B]CoreGraphics[/B]

CVE-ID: CVE-2008-2322

[B]Impact[/B]: Viewing a maliciously crafted PDF file may lead to an unexpected application termination or arbitrary code execution

[B]Description[/B]: An integer overflow in the handling of PDF files may result in a heap buffer overflow. Viewing a maliciously crafted PDF file may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue through additional validation of PDF files. Credit to Pariente Kobi working with the iDefense VCP for reporting this issue.

[B]Data Detectors Engine[/B]

CVE-ID: CVE-2008-2323

[B]Impact[/B]: Viewing maliciously crafted messages with Data Detectors may lead to an unexpected application termination

[B]Description[/B]: Data Detectors are used to extract reference information from textual content or archives. A resource consumption issue exists in Data Detectors’ handling of textual content. Viewing maliciously crafted content in an application that uses Data Detectors may lead to a denial of service, but not arbitrary code execution. This issue does not affect systems prior to Mac OS X v10.5.

[B]Disk Utility[/B]

CVE-ID: CVE-2008-2324

[B]Impact[/B]: A local user may obtain system privileges

[B]Description[/B]: The “Repair Permissions” tool in Disk Utility makes /usr/bin/emacs setuid. After the Repair Permissions tool has been run, a local user may use emacs to run commands with system privileges. This update addresses the issue by correcting the permissions applied to emacs in the Repair Permissions tool. This issue does not affect systems running Mac OS X v10.5 and later. Credit to Anton Rang and Brian Timares for reporting this issue.

[B]OpenLDAP[/B]

CVE-ID: CVE-2008-2952

[B]Impact[/B]: A remote attacker may be able to cause an unexpected application termination

[B]Description[/B]: An issue exists in OpenLDAP’s ASN.1 BER decoding. Processing a maliciously crafted LDAP message may trigger an assertion and lead to an unexpected application termination of the OpenLDAP daemon, slapd. This update addresses the issue by performing additional validation of LDAP messages.

[B]OpenSSL[/B]

CVE-ID: CVE-2007-5135

[B]Impact[/B]: A remote attacker may be able to cause an unexpected application termination or arbitrary code execution

[B]Description[/B]: A range checking issue exists in the SSL_get_shared_ciphers() utility function within OpenSSL. In an application using this function, processing maliciously crafted packets may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue through improved bounds checking.

[B]PHP[/B]

CVE-ID: CVE-2008-2051, CVE-2008-2050, CVE-2007-4850, CVE-2008-0599, CVE-2008-0674

[B]Impact[/B]: Multiple vulnerabilities in PHP 5.2.5

[B]Description[/B]: PHP is updated to version 5.2.6 to address multiple vulnerabilities, the most serious of which may lead to arbitrary code execution. Further information is available via the PHP website at http://www.php.net/ PHP version 5.2.x is only provided with Mac OS X v10.5 systems.

[B]QuickLook[/B]

CVE-ID: CVE-2008-2325

[B]Impact[/B]: Downloading a maliciously crafted Microsoft Office file may lead to an unexpected application termination or arbitrary code execution

[B]Description[/B]: Multiple memory corruption issues exist in QuickLook’s handling of Microsoft Office files. Downloading a maliciously crafted Microsoft Office file may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue through improved bounds checking. This issue does not affect systems prior to Mac OS X v10.5.

[B]rsync[/B]

CVE-ID: CVE-2007-6199, CVE-2007-6200

[B]Impact[/B]: Files outside the module root may be accessed or overwritten remotely

[B]Description[/B]: Path validation issues exist in rsync’s handling of symbolic links when running in daemon mode. Placing symbolic links in an rsync module may allow files outside of the module root to be accessed or overwritten. This update addresses the issue through improved handling of symbolic links. Further information on the patches applied is available via the rsync web site at http://rsync.samba.org/