rudis dot net

I haven’t been slackin’…just lots of Apple postin’ on TAB…

• Twiterriffic 3.1 beta
• ScreenSteps 2 mini-review
• iPhone Development Preview
• iPhone Web Development Starter
• My Apple TV Upgrade Experience

Technorati Tags: 2008 Apple development iphone ipod touch tab theappleblog twitter Array

I take a look at one of the more interesting security tools to hit Apple desktops in quite a while in TrueCrypt 5.0 Brings Plausible Deniability To OS X Users over on The Apple Blog:

If you need/desire cross-platform compatibility, then TrueCrypt is a perfect choice. You can encrypt a virtual disk image onto a USB drive and take it from Windows to Linux to OS X and gain access to your all your secret data, something that is not possible with OS X secure disk images.

Technorati Tags: 2008 Apple security software tab the apple blog theappleblog Array

Josh did the WordPress magic incantations once again and my notes on the recent update to MarsEdit is available for your critical review.

Be kind, folks…it’s been a tough week.

Technorati Tags: 2008 Apple software Array

UPDATE: Now up on TAB (Josh is teh cool) with good discussion in the comments on the efficacy of the executable.

[NOTE: Once/if Josh posts this to TAB, I’ll be modifying the entry to just link over there…only posting it now in the interest of time (since it’s after 1AM on the right coast). It needs to be on TAB so the widest audience gets the security fix info.]

For those that have installed Office 2008, you may have seen some news floating on the internets about improper permissions — that were created by the installer — potentially allowing another local user to access your documents. It’s not a remote exploit issue and most folks are probably not vulnerable (you only need to be concerned if you’ve created another user on the system).

Erik Schwiebert posted instructions for a temporary fix over at Mac Mojo and Microsoft will be issuing an official patch/update to address the issue as well. Erik’s instuctions require some Terminal-fu, so I wrapped them into an executable – Fix Office 2008 Permissions.

Just download/extract the archive and run the executable. You will be prompted for your password since the fix requires elevated privileges.

If you have any issues with the executable or following Erik’s instructions, post them in the comments and I’ll see if your particular install requires any tweaking.

Technorati Tags: 2008 Apple Microsoft office 2008 os x security tab the apple blog

New post over @ TAB on the KDE 4 port to OS X…

This week Slashdot (and many, many others) reported that KDE 4.0 has been released for Windows and OS X. KDE (K Desktop Environment) has been a popular GUI for *nix systems and there have been ways of getting it to run (mostly) on OS X prior to this native port if you were willing to use X11 on OS X). RangerRick (of OpenNMS “fame” did much of the heavy lifting for the Mac side of this project, including the package distributions.

Technorati Tags: 2008 Apple kde open source os x tab the apple blog

• Group chats now reconnect automatically when their accounts reconnect after being disconnected (#1880)
• Greatly improved accessibility, including the chat window, the Accounts, Events, and Advanced preference panes, the File Transfer progress window, and the contact list
• Decreased Adium’s memory footprint
• Jabber conferences now use the account’s display name as the handle by default (#8757)
• Improved performance when connecting multiple accounts with saved passwords
• Updated the Stockholm message style (#8353)
• Added date opened property (#8859) [AppleScript]
• Allowed access to service images for accounts [AppleScript]
• Added a global status property [AppleScript]
• Updated Norwegian localization
• Added Slovenian localization

Technorati Tags: 2008 adium Apple chat os x

Here is what was fixed, security-wise in the 1.1.3 update:

Foundation
CVE-ID: CVE-2008-0035
Available for: iPhone v1.0 through v1.1.2, iPod touch v1.1 through 1.1.2
Impact: Accessing a maliciously crafted URL may lead to an application termination or arbitrary code execution
Description: A memory corruption issue exists in Safari’s handling of URLs. By enticing a user to access a maliciously crafted URL, an attacker may cause an unexpected application termination or arbitrary code execution. This update addresses the issue by performing additional validation of URLs.

Passcode Lock
CVE-ID: CVE-2008-0034
Available for: iPhone v1.0 through v1.1.2
Impact: An unauthorized user may bypass the Passcode Lock and launch iPhone applications
Description: The Passcode Lock feature is designed to prevent applications from being launched unless the correct passcode is entered. An implementation issue in the handling of emergency calls allows users with physical access to an iPhone to launch an application without the passcode. This update addresses the issue through an improved check on the state of the Passcode Lock.

Safari
CVE-ID: CVE-2007-5858
Available for: iPhone v1.0 through v1.1.2, iPod touch v1.1 through 1.1.2
Impact: Visiting a malicious website may result in the disclosure of sensitive information
Description: WebKit allows a page to navigate the subframes of any other page. Visiting a maliciously crafted web page could trigger a cross-site scripting attack, which may lead to the disclosure of sensitive information. This update addresses the issue by implementing a stricter frame navigation policy.

CVE-2008-0034 (bypassing of the passcode lock) is ugly and I hope this is the last time this feature has a vulnerability. CVE-2008-0035 is what was used by those “cool” folks to break their phones to run apps on it. I still stand by my position that it is unwise to publish the means to decimate the security of any device for the sole purpose of being able to make it do what you want it to do. Who knows how many folks were exposed to real iPhone vulnerabilities as a result of the work of these “fine” engineers.

Technorati Tags: 1.1.3 2008 Apple iphone ipod touch security

Jobs’ keynote may have been the center of attention at Macworld 2008, but Garmin took the wraps off of Bobcat, an OS X-only application that will no doubt be the center of all things Garmin GPS-related on your Mac.

It’s a beta (sigh) and Universal application for OS X 10.4+. There is no word on whether they will be charging for the 1.0 release, but I suspect the app will remain free since they make the big bucks on the map$.

Bobcat has the following features:

• allows you to transfer waypoints, tracks, and routes between your Mac and Garmin device and manage your data using your Garmin maps
• provides the ability to search for points of interest from the convenience of your Mac and then send the locations to your Garmin GPS
• serves as a backup tool for your Garmin GPS. You can receive all your waypoints, routes, and tracks from your GPS and Bobcat will save them automatically

If you want to get your Garmin maps from your PC to your Mac, they’ve put together a guide [PDF] to help you along (you’ll need MapConverter for your PC).

Here’s a look at the Bobcat main screen:

I’ll post a full review of Bobcat once I put it through its paces (loading my PC maps, importing from my various Garmin GPS devices and testing out the general functionality).

You can entertain yourself until then by perusing the new Mac section on Garmin’s site and loading some of their Mac software. If you’re at Macworld definitely stop by their booth and cheer them up (Steve can’t have all the attention there).

Technorati Tags: 2008 Apple bobcat Fitness Gadgets Garmin gps macworld os x

Fire up Software Update or head on over to QuickTime’s official download page to grab the 7.4 update. While it fixes:

• CVE-2008-0031: A maliciously crafted Sorensen 3 movie file may lead to arbitrary code execution
• CVE-2008-0032: A maliciously crafted movie file may lead to arbitrary code execution during the handling of Macintosh resource records
• CVE-2008-0033: A maliciously crafted movie file may lead to arbitrary code execution during parsing of Image Descriptor atoms
• CVE-2008-0036: A maliciously crafted PICT image may lead to arbitrary code execution

it does *not* fix the most recent QuickTime flaw, however, so continue to watch which sites you visit. Remember what your mother taught you: don’t accept streaming media from strangers!

Technorati Tags: 2008 Apple os x quicktime security

Another post by me over @ TAB looking at opensnoop, a cool dtrace utility that lets you monitor file opens.

Lots of good stuff came with Apple incorporating DTrace into Leopard. Load the Developer tools to get access to Instruments.app for some GUI-DTrace goodness and poke around man -k dtrace for some command-line DTrace fun.

DTrace is great for developers, but it has some security benefits as well, which I’ll hopefully get some time to explain in the coming weeks.

Technorati Tags: 2008 Apple debugging development dtrace leopard opensnoop os x tab the apple blog