Mac Season

If you're new to MacSeason.com and like what you see, you may want to subscribe to our RSS feed.

The entire video (7 parts + an intro) from the much anticipated All Things Digital conference on May 30th 2007 featuring Steve Jobs and Bill Gates with some interesting views and a bit of great history.

Steve Jobs and Bill Gates Prologue

(more…)

During the All Things Digital conference on May 30th 2007, Walt Mossberg interviews Steve Jobs and there are some interesting topics covered - including the introduction of YouTube for Apple TV - see for yourself:

Source: Engadget

Google Gears (BETA) is an open source browser extension that enables web applications to provide offline functionality using following JavaScript APIs:

• Store and serve application resources locally
• Store data locally in a fully-searchable relational database
• Run asynchronous Javascript to improve application responsiveness

You can download the beta (also for Mac - but only Firefox 1.5 or higher for now) from the new gears.google.com site.

Apple® today announced that it’s bringing the Internet’s most popular originally-created content from YouTube to the living room with Apple TV™. Beginning in mid-June, Apple TV will wirelessly stream videos directly from YouTube and play them on a user’s widescreen TV. Using Apple TV’s elegant interface and simple Apple Remote, viewers can easily browse, find and watch free videos from YouTube in the comfort of their living room.

“This is the first time users can easily browse, find and watch YouTube videos right from their living room couch, and it’s really, really fun,” said Steve Jobs, Apple’s CEO. “YouTube is a worldwide sensation, and Apple TV is bringing it directly from the Internet onto the widescreen TV in your living room.”

Full story

With iTunes 7.2, preview and purchase iTunes Plus music—new higher-quality, DRM-free music downloads from participating music labels.

If you already have iTunes Store purchases that are now available as iTunes Plus downloads, you may upgrade your existing purchases. To do so, visit the iTunes Store and follow the onscreen instructions.

I have installed the update with no problems, as usual it is a good idea to repair permissions before and after the update.

Apple has released Security Update QuickTime 7.1.6. This update is recommended for all users and improves the security of QuickTime by addessing the following issues:

QuickTime

CVE-ID: CVE-2007-2388

Available for: QuickTime 7.1.6 for Mac OS X and Windows

Impact: Visiting a malicious website may lead to arbitrary code execution

Description: An implementation issue exists in QuickTime for Java, which may allow instantiation or manipulation of objects outside the bounds of the allocated heap. By enticing a user to visit a web page containing a maliciously crafted Java applet, an attacker can trigger the issue which may lead to arbitrary code execution. This update addresses the issue by performing additional validation of Java applets. Credit to John McDonald, Paul Griswold, and Tom Cross of IBM Internet Security Systems X-Force, and Dyon Balding of Secunia Research for reporting this issue.

QuickTime

CVE-ID: CVE-2007-2389

Available for: QuickTime 7.1.6 for Mac OS X and Windows

Impact: Visiting a malicious website may lead to the disclosure of sensitive information

Description: A design issue exists in QuickTime for Java, which may allow a web browser’s memory to be read by a Java applet. By enticing a user to visit a web page containing a maliciously crafted Java applet, an attacker can trigger the issue which may lead to the disclosure of sensitive information. This update addresses the issue by clearing memory before allowing it to be used by untrusted Java applets.

I have installed the update with no problems - the update does not require a restart of the machine. As usual it is a good idea to repair permissions before and after the update.

Get it from Apple Support Downloads.
This is a 1.4 MB download

Although a lot of you probably already know this as savvy Mac users - I just came across the following feature that really makes a difference for me as I recently started using Spotlight as an app launcher.

I used to use Quicksilver and Launchbar in the past but decided to drop both as I rarely used them for anything but launching apps so I found it was an unnecessary extra app to have running. Besides, rumors has it that Spotlight in Leopard will be even more powerful also as a launcher so I might as well get used to it now.

Here is the tip

 + Spacebar to launch Spotlight - once you enter your search query (the name of an application or a file name/folder for example) and you see the file you are looking for as the “Top Hit”, simply hit  and ↩ to launch the application or open the file in the “Top Hit” position.

I just came across this tiny app that really gets the screen grabbing right. You can instantly generate a an image (in most desirable formats) of a webpage in its entire length. Some other apps can do that too - but to turn it into a PDF and maintain the links is really valuable.

Here is an example of macseason.com grabbed by Red Snapper in PDF
(just perfect for articles and really long pages)

Red Snapper is a light-weight Safari plugin that lets you capture web pages - exactly as they appear on screen. You can send them to a file, or to the clipboard, as images or vector-based PDFs (with links!) It captures the whole web page - eliminating the need to cut, paste and crop multiple screen-shots when trying to create an image or PDF. Best of all, it’s one-click simple… right there on Safari’s toolbar.

You can get the app from www.tastyapps.com - they have a few other cute apps you might be interested in too. The cost is only $8 if you want to own it and that includes all updates in the 1.xx series.

There is a 30 days free trial - only difference beside the time limitation is a commercial message at the end of each screen grab you make.

Apple has released Security Update 2007-005 which includes the contents of Security Update 2007-004, plus the following fixes:

Alias Manager

CVE-ID: CVE-2007-0740

Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS X v10.4.9, Mac OS X Server v10.4.9

Impact: Users may be misled into opening a substituted file

Description: In certain circumstances, an implementation issue in Alias Manager will not show identically-named files contained in identically-named mounted disk images. By enticing a user to mount two identically-named disk images, an attacker could mislead the user into opening a malicious program. This update addresses the issue by performing additional validation of mountpaths. Credit to Greg Bolsinga of Blurb, Inc. for reporting this issue.

BIND

CVE-ID: CVE-2007-0493, CVE-2007-0494, CVE-2006-4095, CVE-2006-4096

Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS X v10.4.9, Mac OS X Server v10.4.9

Impact: Multiple vulnerabilities in BIND, the most serious of which is remote denial of service

Description: BIND is updated to version 9.3.4. Further information is available via the ISC web site at http://www.isc.org/index.pl?/sw/bind/

CoreGraphics

CVE-ID: CVE-2007-0750

Available for: Mac OS X v10.4.9, Mac OS X Server v10.4.9

Impact: Opening a maliciously crafted PDF file may lead to an unexpected application termination or arbitrary code execution

Description: An integer overflow vulnerability exists in the handling of PDF files. By enticing a user to open a maliciously crafted PDF file, an attacker could trigger the overflow which may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue by performing additional validation of PDF files. This issue does not affect systems prior to Mac OS X v10.4.

crontabs

CVE-ID: CVE-2007-0751

Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS X v10.4.9, Mac OS X Server v10.4.9

Impact: The daily /tmp cleanup script may lead to a denial of service

Description: Filesystems mounted in the /tmp directory may be deleted when the daily cleanup script is executed, which may lead to a denial of service. This update addresses the issues by updating the daily cleanup script to prevent find commands from descending into mounted filesystems.

fetchmail

CVE-ID: CVE-2007-1558

Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS X v10.4.9, Mac OS X Server v10.4.9

Impact: fetchmail password disclosure may be possible

Description: fetchmail is updated to version 6.3.8 to address a cryptographic weakness that could lead to the disclosure of fetchmail passwords. Further information is available via the fetchmail web site at http://fetchmail.berlios.de/fetchmail-SA-2007-01.txt

file

CVE-ID: CVE-2007-1536

Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS X v10.4.9, Mac OS X Server v10.4.9

Impact: Running the file command on a maliciously crafted file may lead to an unexpected application termination or arbitrary code execution

Description: A heap buffer overflow vulnerability exists in the file command line tool, which may lead to an unexpected application termination or arbitrary code execution. This update addresses by performing additional validation of files that are passed to the file command.

iChat

CVE-ID: CVE-2007-2390

Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS X v10.4.9, Mac OS X Server v10.4.9

Impact: An attacker on the local network may be able to cause a denial of service or arbitrary code execution

Description: A buffer overflow vulnerability exists in the UPnP IGD (Internet Gateway Device Standardized Device Control Protocol) code used to create Port Mappings on home NAT gateways in iChat. By sending a maliciously crafted packet, an attacker on the local network can trigger the overflow which may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue by performing additional validation when processing UPnP protocol packets in iChat.

mDNSResponder

CVE-ID: CVE-2007-2386

Available for: Mac OS X v10.4.9, Mac OS X Server v10.4.9

Impact: An attacker on the local network may be able to cause a denial of service or arbitrary code execution

Description: A buffer overflow vulnerability exists in the UPnP IGD (Internet Gateway Device Standardized Device Control Protocol) code used to create Port Mappings on home NAT gateways in the OS X mDNSResponder implementation. By sending a maliciously crafted packet, an attacker on the local network can trigger the overflow which may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue by performing additional validation when processing UPnP protocol packets. This issue does not affect systems prior to Mac OS X v10.4. Credit to Michael Lynn of Juniper Networks for reporting this issue.

PPP

CVE-ID: CVE-2007-0752

Available for: Mac OS X v10.4.9, Mac OS X Server v10.4.9

Impact: A local user may obtain system privileges

Description: An implementation issue exists in the PPP daemon when loading plugins via the command line, which allows a local user to obtain system privileges. This update addresses the issue through validation of user privileges. This issue does not affect systems prior to Mac OS X v10.4. Credit to an anonymous researcher working with the iDefense VCP for reporting this issue.

ruby

CVE-ID: CVE-2006-5467, CVE-2006-6303

Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS X v10.4.9, Mac OS X Server v10.4.9

Impact: Denial of service vulnerabilities in the Ruby CGI library

Description: Multiple denial of service issues exist in the Ruby CGI library. By sending maliciously crafted HTTP requests to a web application using cgi.rb, an attacker could trigger an issue which may lead to a denial of service. This update addresses the issues by applying the Ruby patches.

screen

CVE-ID: CVE-2006-4573

Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS X v10.4.9, Mac OS X Server v10.4.9

Impact: Multiple denial of service vulnerabilities in GNU Screen

Description: The screen command line tool is updated to address multiple denial of service vulnerabilities. Further information is available via the GNU web site at http://lists.gnu.org/archive/html/screen-users/2006-10/msg00028.html

texinfo

CVE-ID: CVE-2005-3011

Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS X v10.4.9, Mac OS X Server v10.4.9

Impact: A vulnerability in texinfo may allow arbitrary files to be overwritten

Description: A file handling issue exists in texinfo, which may allow a local user to create or overwrite files with the privileges of the user running texinfo. This update addresses the issue through improved handling of temporary files.

VPN

CVE-ID: CVE-2007-0753

Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS X v10.4.9, Mac OS X Server v10.4.9

Impact: A local user may obtain system privileges

Description: A format string vulnerability exists in vpnd. By running the vpnd command with maliciously crafted arguments, a local user can trigger the vulnerability which may lead to arbitrary code execution with system privileges. This update addresses the issue by performing additional validation of the arguments passed to vpnd. Credit to Chris Anley of NGSSoftware for reporting this issue.

I have installed the update with no problems - the update required a restart of the machine. As usual it is a good idea to repair permissions before and after the update. Please note Security Update 2007-004 has been incorporated into this security update.

Get it from Apple Support Downloads.
This is a 29.2 MB download

According to MacRumors there is speculation that there might be some good news for those of us outside the US and indeed those that may not be keen on a 2 year Cingular contract.

BoyGeniusReport.com has posted screenshots from AT&T’s accounting system revealing new account codes for three versions of iPhone sales:

• iPhone PostPaid
• iPhone PrePaid (Pay As You Go)
• iPhone Hybrid (Pick Your Plan)

If this is true then the unrestricted sale of iPhones without contractual obligations would allow users to buy and unlock their iPhones for use on any network. I guess we will all be a lot wiser on June 11th..