(Credit:
Screenshot by Jason Parker/CNET)
Finally, the wait for the next iteration of Apple's flagship operating system is over. Mac OS X 10.6 Snow Leopard will officially become available for wide release August 28. Apple has refined just about everything in the latest OS, from new and useful interface enhancements to core technologies that make your Mac run more smoothly.
We got a chance to explore everything Snow Leopard has to offer and we think there's plenty for Mac fans to be excited about. For the complete rundown of all things Mac OS X 10.6, read our review of Snow Leopard.
While the world rightly awaits Firefox 3.0 with anticipation, it's actually the mobile Firefox browser Fennec that I am looking most forward to seeing. According to the head of Mozilla Europe, we should be seeing Fennec in September, with a beta release later in 2008.
The problem? It won't run on my iPhone:
For the iPhone, Apple's licence can not install software to have an interpreted language. But Firefox includes JavaScript, which makes it legally impossible to carry on the iPhone....For Android, Webkit is integrated into the OS, and only Java applications can run. And Firefox is not written in Java. So that's why [Fennec will not run on Android]. However, in both cases, things may change in future, but it does not depend on Mozilla.
It will be hugely disappointing if Apple forces the world into its Safari browser. I like Safari and used to prefer it (until CNET forced me to use Firefox, much to my belated delight), but I'd prefer to use Firefox on my mobile device, just as I do on my Mac. Long term, Firefox is going to be where the innovation is.
In sum, the news is bittersweet. Mobile Firefox is coming, but it's deployment will be hobbled (for me) by Apple.
A team of security researchers has won $10,000 for hacking a MacBook Air in two minutes using an undisclosed Safari vulnerability.
IDG News Service is camped out at CanSecWest in lovely Vancouver, Canada, and has chronicled the exploits (gotta love security puns) of Charlie Miller, Jake Honoroff, and Mark Daniel of Independent Security Evaluators during the Pwn to Own contest sponsored by TippingPoint. The team was able to gain control of a MacBook Air on the second day of the hacking competition, which pitted the Air against Windows Vista and Ubuntu machines.
Charlie Miller pwns a MacBook Air at CanSecWest.
(Credit: TippingPoint)No one was able to execute code on any of the systems on Wednesday, the first day of the contest, when hacks were limited to over-the-network techniques on the operating systems themselves. But on the second day, the rules changed to allow attacks delivered by tricking someone to visit a maliciously crafted Web site, or open an e-mail. Hackers were also allowed to target "default installed client-side applications," such as browsers.
The team had attack code already set up on a Web site, and was able to gain access to the MacBook Air and retrieve a file after judges were "tricked" into visiting the site. According to the TippingPoint DVLabs blog, a newly discovered vulnerability in Safari was used to gain control of the Air.
The contest rules stipulated that winners immediately sign a nondisclosure agreement relating to their technique, so that the vulnerability could be disclosed to the vendor, and TippingPoint said Apple has been informed of the vulnerability.
Last year's contest was won by exploiting a QuickTime vulnerability, which was patched by Apple in less than two weeks. As of the time I posted this, no one had gained control of the Vista or Ubuntu machines, but I'll update later as the results come in over the rest of the afternoon.
UPDATED 3/29 11:45am PT - The Vista laptop fell on the last day of the conference. Check out this story for more details.
Apple has started offering Windows users its Safari 3.1 Web browser through the same online updater it utilizes for iTunes and the QuickTime video player.
With the release of Safari 3.1 on Tuesday, Apple started giving Windows users the option of downloading Safari via the Apple Software Update pop-up.
"Safari for Windows is the fastest and easiest-to-use web browser for the PC. It displays web pages faster than any other browser and is filled with innovative features -- all delivered in an efficient and elegant user interface," states Apple's message in the pop-up screen.
The move is a more aggressive play by Apple to snatch browser market share from Microsoft.
In February, Microsoft's Internet Explorer had a 74.9 percent share of the browser market in terms of usage, while Firefox had 17.3 percent, and Safari had 5.7 percent, according to figures from Net Applications, which measures Web traffic and market share.
Care for some Safari with your iTunes?
(Credit: Apple)Mary Jo Foley at ZDNet notes that when Apple CEO Steve Jobs first unveiled Safari for Windows last June, he said that the main way Apple planned to get Safari on Windows is through its Software Update program.
"Jobs said that Apple plans to use iTunes as a distribution vehicle for Safari for Windows. He noted that there are a million downloads of iTunes a day, with 500 million of those going to Windows machines."
A new exploit will either lock up your iPhone or iPod Touch or crash your Safari browser on your PC or Mac OS desktop if you simply visit a maliciously coded Web site. Unlike an earlier exploit that required users to click to become infected, the new code published by iPhoneWorld requires no user interaction.
So far, Apple has had no comment.
The code was first reported in January and exhausts the memory in Safari, which in turn will cause your iPhone or iPod Touch to freeze, or your desktop Safari to crash. "Given the nature of this issue," said the BugTraq newsgroup vulnerability report, "remote code execution may also be possible, but this has not been confirmed."
There is no patch available from Apple. The recommended workaround is to disable Javascript within Safari. To do so:
-
1. Under Edit, click Preferences.
2. Click the Security icon.
3. Uncheck Enable JavaScript.
4. Close and restart Safari.
Apple is taking Tiger to 11.
The company released a major update to Mac OS X 10.4 on Wednesday that delivers several improvements, fixes some bugs, and patches several security holes identified in recent months. Mac OS X 10.4.11 is immediately available through Software Update, or it can be downloaded from Apple's Web site.
Listing every feature contained in the new update would probably set a record for wordiness in this blog, so I'm not going to do that, and instead will point you here to an informational document on Apple's site. A couple of highlights that I will call out are RAW image support for some Panasonic, Olympus, Leica, and Canon cameras as well as reliability improvements for Intel-based Macs running VMware's Fusion virtualization software. Other Mac users might be interested to know that 10.4.11 improves the reliability of mounting external hard drives and a Mac's compatibility with third-party wireless networking equipment, which has been a perennial issue for me and my Linksys router.
Dozens of security updates were delivered along with the 10.4.11 release, some of which could theoretically lead to remote code execution. All of those patches are included as part of the update--you won't need to download them separately--and Ryan Naraine at ZDNet has more details on what has been fixed. A separate batch of security patches is also available for Panther users (Mac OS X 10.3) that corrects the issues contained in the Tiger security updates that are also relevant to Panther users.
Another point worth noting is that Safari 3 is now officially out of beta for Mac users, and it's included along with the rest of the update. Those using Safari 3 on Windows, however, are still still in beta, and they need to download a security update released on Wednesday along with the rest of the downloads.
To top it all off, Apple released updates for several applications like iPhoto and some professional tools like Final Cut Pro. The entire list of downloads made available Wednesday can be found here, but Software Update should prompt you to download the ones that are relevant to your system.
There are two choices for the update: you can download just the 10.4.11 update if you've kept current with the other incremental releases, or you can download a combo update if you're still running 10.4.9 or earlier versions of Tiger. The standalone update for Intel Macs is 128MBs, while the combo update is 321.5MBs. The PowerPC versions are about half that size.
I asked an Apple representative why they just didn't make Mac OS X 10.4.10 more complete, and he said, "But this one goes to 11." (Just kidding.) The first update to Leopard, Mac OS X 10.5.1, should be out fairly soon if Apple follows the same plan it did after it released Tiger in April 2005.
Update: The directory is now live. CNET News.com's Tom Krazit wrote up a quick look at it. One funny thing to note is that accessing the directory from an iPhone renders like it does on your desktop browser instead of in a finger, and eye-friendly format. Also, using the much-touted double-tap feature to zoom into the lineup of apps doesn't even center the page correctly. Apparently Apple didn't deem it necessary to make their own iPhone-centric page easier to use. Hopefully the early adopter, tech savvy crowd can handle it. Original story follows.
iPhone users still relying on Safari for third-party applications instead of going the unlocked route may be getting a new directory of applications, straight from the source. AppleInsider and 9 to 5 Mac are reporting that Apple is set to launch its own directory of third-party Web applications that have been optimized for the iPhone, similar to the current directory the company has of Mac software, and Dashboard Widgets residing in Apple.com's download section. The news gets even jucier with a misplaced link from one of Apple's official RSS feeds, showing the new section getting its own Apple vanity URL of Apple.com/Webapps (note: the link currently goes nowhere).
Apple Insider also claims that some developers have been contacted by Apple reps to submit all sorts of information about its applications, including screenshots, links, and descriptions. If the directory is anything like Apple's current iteration for software, there will likely be a way for people to submit their own right from the site, as well.
This isn't anywhere closer to the SDK everyone's hoping for, but an official directory would be a welcome addition to the slew of iPhone application directories that have sprung up since the introduction of the phone earlier this year, and open up a potentially larger audience for developers with cool applications. As an iPhone user, my only suggestion would be to take advantage of the capability to update the system software, and integrate the new directory as its own button on the home screen. Better yet, let people "copy" an application shortcut icon to their home screen to let them jump straight to the application like what's been done in the unlocked iPhone community.
No news on when the site is going live. In the meantime, if you're a new iPhone user looking for places to find some optimized Web applications, CNET's got its very own iPhone App directory. I'd also recommend iPhone Application List and EverythingiPhone.
Apple today released 10 iPhone security updates, including 7 within the MobileSafari browser. The update is available only through iTunes and is not available from the Apple Downloads page. The version users should see within their iPhone after applying this update should be 1.1.1 (3A109a). Further, Apple refuses to discuss pending security vulnerabilities not patched here, stating "For the protection of our customers, Apple does not disclose, discuss, or confirm security issues until a full investigation has occurred and any necessary patches or releases are available."
Bluetooth
This patch affects users of Apple iPhone and addresses the vulnerability in CVE-2007-3753. By sending maliciously crafted Service Discovery Protocol (SDP) packets to an iPhone with Bluetooth enabled, an attacker within range may be able to trigger the issue, which may in turn lead to unexpected application termination or arbitrary code execution. Apple credits Kevin Mahaffey and John Hering of Flexilis Mobile Security for reporting this vulnerabliity.
Mail man-in-the-middle attack
This patch affects users of Apple iPhone and addresses the vulnerability in CVE-2007-3754. When Mail is configured to use SSL for incoming and outgoing connections, it does not warn the user when the identity of the mail server has changed or cannot be trusted and could lead to a man-in-the-middle attack.
Mail telephone link
This patch affects users of Apple iPhone and addresses the vulnerability in CVE-2007-3755. "By enticing a user to follow a telephone link in a mail message, an attacker can cause iPhone to place a call without user confirmation." Apple credits Andi Baritchi of McAfee for reporting this vulnerability.
Safari 1
This patch affects users of Apple iPhone and addresses the vulnerability in CVE-2007-3756. "A design issue in Safari allows a Web page to read the URL that is currently being viewed in its parent window. By enticing a user to visit a maliciously crafted Web page, an attacker may be able to obtain the URL of an unrelated page." Apple credits Michal Zalewski of Google and Secunia Research for reporting this issue.
Safari 2
This patch affects users of Apple iPhone and addresses the vulnerability in CVE-2007-3757. "Safari supports telephone ("tel:") links to dial phone numbers. When a telephone link is selected, Safari will confirm that the number should be dialed. A maliciously crafted telephone link may cause a different number to be displayed during confirmation than the one actually dialed. Exiting Safari during the confirmation process may result in unintentional confirmation." Apple credits Billy Hoffman and Bryan Sullivan of HP Security Labs (formerly SPI Labs) and Eduardo Tang for reporting this issue.
Safari 3
This patch affects users of Apple iPhone and addresses the vulnerability in CVE-2007-3758. "A cross-site scripting vulnerability exists in Safari that allows malicious Web sites to set JavaScript window properties of Web sites served from a different domain. By enticing a user to visit a maliciously crafted Web site, an attacker can trigger the issue, resulting in getting or setting the window status and location of pages served from other Web sites." Apple credits Michal Zalewski of Google for reporting this issue.
Safari 4
This patch affects users of Apple iPhone and addresses the vulnerability in CVE-2007-3759. "Safari can be configured to enable or disable JavaScript. This preference does not take effect until the next time Safari is restarted. This usually occurs when the iPhone is restarted. This may mislead users into believing that JavaScript is disabled when it is not."
Safari 5
This patch affects users of Apple iPhone and addresses the vulnerability in CVE-2007-3760. "A cross-site scripting issue in Safari allows a maliciously crafted Web site to bypass the same-origin policy using "frame" tags. By enticing a user to visit a maliciously crafted Web page, an attacker can trigger the issue, which may lead to the execution of JavaScript in the context of another site." Apple credits Michal Zalewski of Google and Secunia Research for reporting this issue.
Safari 6
This patch affects users of Apple iPhone and addresses the vulnerability in CVE-2007-3761. "A cross-site scripting issue in Safari allows JavaScript events to be associated with the wrong frame. By enticing a user to visit a maliciously crafted Web page, an attacker may cause the execution of JavaScript in the context of another site."
Safari 7
This patch affects users of Apple iPhone and addresses the vulnerability in CVE-2007-4671. "An issue in Safari allows content served over HTTP to alter or access content served over HTTPS in the same domain. By enticing a user to visit a maliciously crafted Web page, an attacker may cause the execution of JavaScript in the context of HTTPS Web pages in that domain." Apple credits Keigo Yamazaki of Little Earth Corporation for reporting this issue.
Googling on the iPod--the stuff of legends.
(Credit: Ina Fried/CNET News.com)This morning, Apple unveiled the iPod Touch, this year's latest must-have gadget that's the first bona fide iPod to have built-in Wi-fi, the Safari Web browser, and the YouTube app iPhone owners have come to love. That's not the most groundbreaking aspect, though--this thing's got a full version of the iTunes Music Store that you'll be able to use for shopping right on the device. You can preview and buy songs that will sync up to your iTunes library when you plug it in back at home. The idea is similar to the Music Gremlin, and the Sandisk Sansa Connect, except you're getting the added benefit of Apple's entire online catalog.
Also groundbreaking is the inclusion of Apple's Safari Web browser, which features the same functionality you get on the iPhone. For enterprising Web app creators, this is huge. The iPhone's somewhat prohibitive price point (even after this morning's $200 price drop) and two-year service agreement with AT&T limited many from purchasing the device. Despite this, the explosion of Web apps that have been built specifically for the device is staggering. Companies have become so enamored with the idea of a special iPhone version of their site, it's becoming nearly as prevalent as building a Facebook app.
Despite the inclusion of YouTube, there are two mysteriously missing apps from the iPod touch. The Google Maps app, and the Mail app, which gives users first party support for popular mail services like Gmail, Yahoo, and AOL mail. Between the two, the mail app is the more important in conjunction with Safari, as users will have to use two separate windows and their favorite Web mail client to actually e-mail someone in Safari. The experience on the iPhone is a little more seamless, with the device simply opening up a new message in mail.
The iPod Touch is shipping later this month in 8 GB and 16 GB capacities at $299 and $399, respectively. More news about it can be found on Crave's live blog post.
If you own a Mac or an iPhone, chances are you'll need to download at least one of the security updates issued by Apple late Tuesday.
Dozens of vulnerabilities and bugs were covered by a total of six downloads for Mac OS 10.3.9 (Panther), Mac OS 10.4.10 (Tiger) on PowerPC, and the Universal version of Mac OS 10.4.10, as well as the server versions of each of those operating systems. Each download contains several patches to correct flaws, and Apple is recommending that all users of those operating systems download the updates.
Some of the vulnerabilities seem quite serious, leading to arbitrary code execution, downed applications or both. You can download the updates for your specific Mac at Apple's support Web site or by clicking on the "Software Update" selection under the Apple menu.
Apple also issued the first software update for the iPhone as part of Tuesday's releases. Unlike the Mac updates, the iPhone update will be delivered through iTunes the next time you sync your iPhone with your Mac or PC. It corrects a few flaws in Safari as well as in Webcore and Webkit, apparently the iPhone versions of some flaws Apple fixed for Mac users of Safari back in June.
Finally, Apple also released a new version of Safari 3.0, which is still in beta. The new version, Safari 3.0.3, fixes some security flaws for both the Windows and Mac OS versions of the browser.
The flood of patches comes as the security community is gathered in Las Vegas for the annual Black Hat conference.
