Apple released this week a long and exhaustive Leopard Security Configuration Guide consisting of recommended practices and tips on keeping your Macs, well, secure.

Strictly hardcore, it’s meant for the upper echelon of Mac geeks who are comfortable with Terminal and can understand the arcana of things like sandboxing, library randomization and modules with two-factor authentication systems.

I don’t think I’d try to try anything in it by myself, but it’s nice to know I have a copy. It’s like a rare library book from Hogwarts, and would be perfect if Harry was a Mac fanboy as well. Needless to say, tinkering with these spells is not recommended for ordinary wizards, not unless you know what you’re doing.

It’s a 3.4mb PDF download and you can get it here if you want to take a peek.

A quick look at the Table Of Contents after the jump:

[Read the rest of this entry »]

The new version of Mac OS X, 10.6, will be known as Snow Leopard. Snow. Leopard.

Or at least that’s what Ars Technica seems convinced of. They also say it’ll be launched at Macworld 2009 in January, and will be Intel-only.

Previous speculation says that 10.6 seeds’ll be released to developers next week at the WWDC, in preparation for its release next year. As for changes, apparently it’ll be basically the same, except that it’ll be faster and more stable, rather than have anything really new or innovative. The report says this is because speed and stability are bigger concerns now that Apple’s firmly entrenched in smaller and more mobile gadgets that need these elements more than anything.

PowerPC users are expectedly crushed by this news. Our sympathies.

[UPDATE: Typo! As a bunch of readers immediately noted, I wrote the version wrong (10.5.6). Dunno what got into me - maybe because i was sneaking in this post as I was in a sales meeting. Heh. Serves me right! Fixed it already. Thanks, eagle-eyed MacADoodlers! You know who you are!]

Microsoft, creator of the very secure and robust Windows OS and the rock-solid Internet Explorer web browser, is warning Windows users not to use Apple’s browser Safari because it is unsafe and vulnerable to certain malicious sites that can take advantage of an exploit and “carpet-bomb” your Windows machine with EXE files.

According to Microsoft Security Advisory #953818 on the Microsoft website, there is a “Blended Threat from Combined Attack Using Apple’s Safari on the Windows Platform”:

Microsoft is investigating new public reports of a blended threat that allows remote code execution on all supported versions of Windows XP and Windows Vista when Apple’s Safari for Windows has been installed. Safari is not installed with Windows XP or Windows Vista by default; it must be installed independently or through the Apple Software Update application. Customers running Safari on Windows should review this advisory.

At the present time, Microsoft is unaware of any attacks attempting to exploit this blended threat. Upon completion of this investigation, Microsoft will take the appropriate measures to protect our customers. This may include providing a solution through a service pack, the monthly update process, or an out-of-cycle security update, depending on customers needs.”

In simple terms, Safari doesn’t seek user permission when malicious sites try to make the browser download an executable file to the desktop, even if it does this hundreds of times over and over (hence the term “carpet-bomb”). It’s a “blended threat” because this vulnerability stems from the combination of the default download location of Safari and the way Windows handles executables.

Microsoft’s Suggested Action is:

Restrict use of Safari as a web browser until an appropriate update is available from Microsoft and/or Apple.”

True, it’s a serious breach that should be fixed ay-ess-ay-pee, and we hope Apple fixes this soon. But it must be refreshing for Microsoft to be the one to call out Apple on something like this for once (I can almost here them go ‘Hah! How’d you like dem apples, Apple? Nyarharhar!’)

Researcher Nitesh Dhanjani, who first exposed this vulnerability more than a week ago, says that the flaw isn’t limited to Windows; OS X can be carpet-bombed as well, although I’m not quite sure Macs would know the first thing about running an .exe file.

For those of you new 10.5.3 updaters who are wondering what this Security Update 2008-03 is and why it isn’t popping up on Software Update, that’s because it isn’t meant for you, you greedy updater you.

You don’t need it, for one thing. Everything in it is already in the 10.5.3 update.

Actually, the Security Update is meant for pre-10.5.3 Leopard systems (10.5 to 10.5.2) and Tiger 10.4.11 users only. Mileage may vary, depending on your machine type and OS client, and can range from 72 to 118mb.

This security update is for those who want to wait out the potential hitches that can result from Leopard updates, like the few nasties that popped up from the 10.5.2 update last Feb., and for the folk who haven’t yet gone on to Leopard and are feeling abandoned in Tiger’s last iteration, yet still want to plug the security holes. If this applies to you, go get it here.

Just a quick heads-up.

Let it be said that Mac-A-Doodle can sure call ‘em.

Mere hours after us predicting it’ll come soon, Mac OS X Update 10.5.3. arrives. We even got the size correct - it’s a big one, all right: 420mb.

As usual, Software Update is cryptic about what’s new. All it says of this near half-gig Leopard update is

The 10.5.3 Update is recommended for all users running Mac OS X Leopard and includes general operating system fixes that enhance the stability, compatibility and security of your Mac.”

However, further digging uncovers the ff. (wordier) info about 10.5.3, which we reproduce here to save you the trouble of a click:

General

▪    Fixes a font issue that could result in Helvetica Narrow being used in applications instead of Helvetica.
▪    Addresses an issue with stuttering video and audio playback in certain USB devices.
▪    Resolves stability issues with Word of the Day, iTunes Artwork, and Slideshow screen savers.
▪    Fixes an issue in which certain attached hard drives may not show up in the Finder.
▪    Addresses an issue with .Mac syncing of Dashboard widgets over multiple Macs that use different screen resolutions.
▪    Includes additional RAW image support for several cameras.
▪    Improves the accuracy of the Software Update progress bar indicator.
▪    Addresses an issue in which Finder may not be available if the computer name is blank in Sharing preferences.
▪    Improves Active Directory binding and login.
▪    Eliminates a delay when logging in as an Active Directory user in a .local domain.
▪    Improves Spotlight searches on a AFP file server volumes.
▪    Clients can now change their password at the login window when bound to a Mac OS X 10.4 Open Directory server.
▪    Improves Safari reliability when connecting to the Internet through a Microsoft ISA proxy.

Address Book

▪    Addresses reliability issues when searching for contacts using built-in search.
▪    Resolves issues with mapping addresses that contain an ampersand character.

AirPort

▪    Improves 802.1X behavior and reliability.
▪    Improves reliability when using Time Capsule.

Automator

▪    Addresses an issue in which some actions may not work with the “Show When Run” option enabled.
▪    Resolves an issue in which the “New iCal Event” action may not work.
▪    Resolves an issue that prevents workflows from being saved in the Finder’s contextual menu.
▪    Fixes reliability issues for Automator scripts that search for files by date.
▪    Resolves an issue that prevents workflows from being saved in the Finder’s contextual menu.
▪    Addresses an issue in which Automator workflows as Finder plugins do not work when the workflow begins with the “Get Selected Finder Items” action.
▪    Fixes an issue in which the “Copy Files” action does not reliably work when added from Automator’s warning dialog.

iCal

▪    Addresses potential privacy issues by allowing events to be marked as private.
▪    Resolves an issue in which the inspector does not show capacity and availability info for conference rooms within a building.
▪    Addresses an issue in which the current day could appear in the left-most column of the weekly view.
▪    Addresses reliability issues with meeting alarms, invitations and attachments.
▪    Resolves issues with reliability when restoring from iCal backups.
▪    Fixes accuracy issues with auto-completion, availability data and location names.
▪    Resolves an issue in which iCal may send cancellation notices for events in the past after a calendar is deleted.
▪    Fixes reliability issues with iCal syncing.

iChat

▪    Addresses reliability issues with screen sharing.
▪    Resolves an issue in which saved chat transcripts may reported as “still in use” after opening and closing them in iChat.
▪    Resolves an issue with group chats not being indexed in Spotlight.
▪    Only the last 250 messages of an active chat are saved.  Fixed to save unlimited number of lines.
▪    Addresses issues with echo cancellation that may occur on portable Macs.

Mail

▪    Resolves an issue in which Mail may prevent idle sleep when set to automatically check for new messages every minute.
▪    Addresses stability issues that may be encountered when dragging large attachments into an email message.
▪    Fixes an issue that could occur if two compose windows are open when dragging a file to the Mail icon in the Dock.
▪    Addresses reliability issues when changes are made to a mailbox while offline.
▪    Resolves wrapping issues that may be found with consecutive spaces in plain text.
▪    Fixes issues with certain web pages appearing garbled when emailed from Safari.
▪    Fixes an issue in which the Sent, Drafts, and Outbox mailboxes incorrectly list the “cc” recipients in the “To” column.
▪    Addresses reliability issues with attachments added to plain text notes.
▪    Fixes reliability issues with authenticated RSS feeds.
▪    Resolves an issue in which attaching an alias to an email message may not send the actual file.

Parental Controls

▪    Addresses reliability issues with application logging and time limits.
▪    Resolves an issue in which Parental Controls may prevent forced sleep.
▪    Addresses performance issues with web content filters.
▪    Fixes an issue with managed accounts in which iChat transcripts may not be created.
▪    Addresses issues with 4-byte files and whitelist.

Spaces

▪    Resolves an issue in which switching to a different space and returning back to the original space may reorder the application windows with a different active window.
▪    Resolves an issue in which activating an application from the Dock switches to a different space, even if there is a window for that application in the current space.
▪    Fixes an issue in which Command-Tab may incorrectly switch to a new space.
▪    Addresses reliability issues with Spaces when syncing preferences over .Mac.

Time Machine

▪    Includes fixes for Time Machine compatibility with Time Capsule.
▪    Resolves certain issues when backing up a portable Mac that is on battery power.
▪    Addresses compatibility issues with Aperture 2.
▪    Addresses reliability issues when performing a full restore from a Time Machine backup.
▪    Fixes an issue in which certain function keys may be disabled after using Time Machine.
▪    Fixes a possible alert message that incorrectly states a backup volume does not have enough space.
▪    Updates Time Machine to reliably restore attachments and messages in Mail.

VoiceOver

▪    Includes Braille Update 1.0 which enables GW Micro, HandyTech, HIMS, Nippon, and Papenmeier Refreshable Braille displays.
▪    Addresses an issue with Braille dot 7 and 8 underlining.
▪    Fixes an issue in which HTML page anchors may be ignored by the VoiceOver cursor.
▪    Fixes an issue that prevented Hot Spots from being used in text areas.
▪    Resolves an issue with spell checking in which VoiceOver may only announce the first misspelled word if there are multiple words spelled incorrectly.”

Remember that it’s always a good idea to run RDP before and after the update, and an even better idea to backup your data before doing the update at all (if you’re not using Time Machine yet). For most users though, prudence dictates waiting a day or two to see if the foolhardy ones (like me) will run into trouble with the update. I’ll keep you posted.