Apple released this week a long and exhaustive Leopard Security Configuration Guide consisting of recommended practices and tips on keeping your Macs, well, secure.

Strictly hardcore, it’s meant for the upper echelon of Mac geeks who are comfortable with Terminal and can understand the arcana of things like sandboxing, library randomization and modules with two-factor authentication systems.

I don’t think I’d try to try anything in it by myself, but it’s nice to know I have a copy. It’s like a rare library book from Hogwarts, and would be perfect if Harry was a Mac fanboy as well. Needless to say, tinkering with these spells is not recommended for ordinary wizards, not unless you know what you’re doing.

It’s a 3.4mb PDF download and you can get it here if you want to take a peek.

A quick look at the Table Of Contents after the jump:

[Read the rest of this entry »]

Microsoft, creator of the very secure and robust Windows OS and the rock-solid Internet Explorer web browser, is warning Windows users not to use Apple’s browser Safari because it is unsafe and vulnerable to certain malicious sites that can take advantage of an exploit and “carpet-bomb” your Windows machine with EXE files.

According to Microsoft Security Advisory #953818 on the Microsoft website, there is a “Blended Threat from Combined Attack Using Apple’s Safari on the Windows Platform”:

Microsoft is investigating new public reports of a blended threat that allows remote code execution on all supported versions of Windows XP and Windows Vista when Apple’s Safari for Windows has been installed. Safari is not installed with Windows XP or Windows Vista by default; it must be installed independently or through the Apple Software Update application. Customers running Safari on Windows should review this advisory.

At the present time, Microsoft is unaware of any attacks attempting to exploit this blended threat. Upon completion of this investigation, Microsoft will take the appropriate measures to protect our customers. This may include providing a solution through a service pack, the monthly update process, or an out-of-cycle security update, depending on customers needs.”

In simple terms, Safari doesn’t seek user permission when malicious sites try to make the browser download an executable file to the desktop, even if it does this hundreds of times over and over (hence the term “carpet-bomb”). It’s a “blended threat” because this vulnerability stems from the combination of the default download location of Safari and the way Windows handles executables.

Microsoft’s Suggested Action is:

Restrict use of Safari as a web browser until an appropriate update is available from Microsoft and/or Apple.”

True, it’s a serious breach that should be fixed ay-ess-ay-pee, and we hope Apple fixes this soon. But it must be refreshing for Microsoft to be the one to call out Apple on something like this for once (I can almost here them go ‘Hah! How’d you like dem apples, Apple? Nyarharhar!’)

Researcher Nitesh Dhanjani, who first exposed this vulnerability more than a week ago, says that the flaw isn’t limited to Windows; OS X can be carpet-bombed as well, although I’m not quite sure Macs would know the first thing about running an .exe file.

For those of you new 10.5.3 updaters who are wondering what this Security Update 2008-03 is and why it isn’t popping up on Software Update, that’s because it isn’t meant for you, you greedy updater you.

You don’t need it, for one thing. Everything in it is already in the 10.5.3 update.

Actually, the Security Update is meant for pre-10.5.3 Leopard systems (10.5 to 10.5.2) and Tiger 10.4.11 users only. Mileage may vary, depending on your machine type and OS client, and can range from 72 to 118mb.

This security update is for those who want to wait out the potential hitches that can result from Leopard updates, like the few nasties that popped up from the 10.5.2 update last Feb., and for the folk who haven’t yet gone on to Leopard and are feeling abandoned in Tiger’s last iteration, yet still want to plug the security holes. If this applies to you, go get it here.

Just a quick heads-up.

The US Army is the latest recruit in Apple’s creeping invasion of territories that used to be exclusive to other platforms.

The American military is integrating Macintoshes into their computer systems to make their setup harder to hack, according to a report from Forbes.com. Lt. Col. C.J. Wallington, a division chief in the Army’s office of enterprise information systems, says that since Macs haven’t been a common target of attacks, fewer hacks have been designed for them and adding Macs to the mix will make the Army’s systems less prone to destabilization with a single attack.

Apple hardware has already been working out well for the military. Wallington says that X Serve servers from Apple, which have become commonplace equipment in the Army’s systems, have proven themselves in use. Of the X Serves, Wallington says

Those are some of the most attacked computers there are. But the attacks used against them are designed for Windows-based machines, so they shrug them off.”

The Security Update released the other day has its good and bad side, users report.

Good news first: apparently the keyboard glitch that plagues MacBook and MacBook Pro users who’ve upgraded to Leopard where keyboards freeze for up to over a minute when using Carbon apps has been solved with the Security Update.

Bad news: under special circumstances, the new Security Update can cause crashes in Safari. Changes made to address security issues in the app inadvertently crash Apple’s own browser, particularly in handling frames. The Mac Observer’s coding expert, Steven Swift observes the problem -

The error happens when the user tries to submit a form to another target frame or window. Safari stops that, and, in fact, crashes. The idea is to keep any malicious hacker from, for example, trying to load code into a hidden window.

The problem seems to be specific to Safari, and does not affect other browsers like Firefox and Omniweb.