The sizable patch, which weighs in at over 700MB, tends to a number of known security problems within the latest client and server versions of OS X, and is the largest update Apple has ever put out. This new update, known officially as ‘Security Update 2010-002′, fixes 92 problems in total, bringing Snow Leopard up to version number 10.6.3.

For those still running Leopard, and and plenty of you are, this update offers 18 specific fixes for Apple’s older OS. Snow Leopard sees 29 distinct fixes, with the remaining 45 improvements being applicable to both operating systems.

Fixes found within the update include improving the reliability of Airport connections, minor adjustments to OS X’s Mail application, refinements to Time Machine’s backup process and more. One of the most noticeable inclusions within this update were the nine critical updates targeting QuickTime. However, the numerous updates to Apple’s media player, as pointed out by Computerworld, come as little surprise due to the impending launch of the iPad. It’s increasingly common for Apple to update both QuickTime and its iTunes software ahead of the launch of a new device.

More information regarding the update, including a full run down of improvements, can be found within Apple’s official support pages. The update can be downloaded now either online or via OS X’s integrated system updater.

Let us know if you run into any issues with this upgrade.

The first is for the Open XML File Format Converter, which bumps the version to 1.0.1 and fixes a remote code execution (rated by Microsoft as “important”) associated with security bulleting MS08-057. The Open XML Converter allows you to convert Open XML files that were created in Office 2008 for Mac or Office 2007 for Windows so that you can open, edit, and save them in earlier versions of Office for Mac. The download is 44MB and should be installed by anyone running Office 2004 or Office v. X on OS X 10.4.9 or higher.

Next up is Office 2004 with a 13MB patch to version 11.5.2 which addresses vulnerabilities which could allow attackers to run code on your system.

Similarly, Microsoft Office 2008 for Mac kicks it up to version 12.1.3 which addresses similar vulnerabilities as the Office 2004 update in this 154MB download.

You can avoid all this work by letting Microsoft do the work for you with their auto-update.

In Good Company

Apple also posted Security Update 2008-007 on October 9th, which addressed nineteen (19) groups of vulnerabilities across a wide spectrum of OS X 10.4 and OS X 10.5 built-in software. Of particular interest are:

• fixes to QuickLook crashes for users of Microsoft Excel
• a patch to a local privilege escalation issue with the network stack
• a fairly gnarly problem with launchd (specific to OS X 10.5.5) that can result in improper sandoxing of some scheduled applications
• correction to a buffer overflow situation with ColorSync that can be taken advantage of with maliciously crafted images (those evil images again)

Apple also updated trusted root certificates (which are an important component of ensuring secure network communications).

You can check out the other vulnerabilities that were corrected and grab them via Software Update or Apple Downloads (between 31MB & 200MB depending on your system).

Firmware Updates Join The Frey

Apple also posted MacBook/MacBook Pro Software Update 1.2 which — true to form — nebulously “improves compatibility with external displays and includes a variety of software fixes” (would anyone let Microsoft get away with this?). The 45MB update is available now.

The updates caused no issues for me, but I’d be interested to hear if anyone else experienced any problems or post-install issues.

Related research and analysis from GigaOM Pro:
Subscriber content. Sign up for a free trial.

• Content Farms: The Players, The Benefits, The Risks
• Why iPad 2 Will Lead Consumers Into the Post-PC Era
• The Near-Term Evolution of Social Commerce

• AIM for Mac – Beta 1 – Much to the surprise of many, AOL decided to release a new beta of their instant messenger for OS X. The big question, as a result, is “Why?”. After testing it out, I can find no compelling reason to switch from iChat or Adium and no features that would make this a “must-have” application, but I welcome your thoughts in the comments. [10.4/10.5; Intel/PPC] Free!
• Gimp.app – 2.6.0 – Hot on the heels of the official Gimp release comes the OS X native (non-X11) release, complete with enhanced toolbars/docks, full panning beyond the image border, much-improved free-select tool and snazzy improvements to brushes. Much of the enhancements were under-the-covers and provided a foundation for future crunchy-goodness by integrating GCEL (Generic Graphics Library), a powerful graph-based image processing framework (think “undo”) and support for a wider range of color models and pixel storage formats when reading or saving images. The developers also improved plug-in support.
  
  The interface is not exactly perfectly Mac-like and feels awkward and clunky at times, but it is definitely usable and has a good feature set. Would you use it over Photoshop or even some of the newer Flash-based online editors? Let me know your thoughts! [10.4/10.5; Intel/PPC] Free!
• ReceiptWallet – 2.0.8 – This minor update will make folks in Switzerland happy (fixes an issue with that locale), but also fixes a couple of other annoyances (a “Cancel” button one that was – on occasion – catching me) and a few bugs. [10.4/10.5; Intel/PPC] US$39.95
• Apple iTunes – 8.0.1 & Apple TV – 2.2 – As you saw on TAB, iTunes and Apple TV received updates this past week. The former improves music playback during Genius playlist creation (along with other improvements), and the latter provides support for HD TV shows and tosses a Genius into the tiny box for good measure. [10.3.9 (Apple TV update)/10.4/10.5; Intel/PPC] Free!
• Editra – 0.3.80 – Entering a candidate into the text editor fray on OS X takes guts. You are competing with the likes of BBEdit, TextMate, TextWrangler and many others, each of them having a loyal and vocal user-base. Editra is aimed squarely at the developers out there as it has most of the goodies you’ve come to expect (line numbering, commenting, indenting, syntax highlighting, etc.). The interface is straightforward enough, but it is obvious that the “0.x” version numbering is accurate since there is much room for many refinements. It already supports plug-ins (written in Python) and has the benefit of being cross-platform (it is written with the wxWidgets library), so you can use slide between platforms without losing your editing mojo. This application is definitely something to keep on your radar and in your RSS feeds. [10.4/10.5; Intel/PPC] Free!
• Perian – 1.1.1 – The self-dubbed “Swiss-Army knife for QuickTime” releases a two-dot update that I would have missed since the “update” button in the PrefPane did not work (and I just happened to hit their site from the other button in the PrefPane). This minor update fixes a problem with H.264 in AVI files, corrects a frame skipping issue, adds some codecs and incorporates a few additional bug fixes and feature tweaks. [10.4/10.5; Intel/PPC] Free!
• Schnippselchen Pro – 2.0.1 – I’ve been slowly getting back into software development (that may or may not be obvious from my posts) and came across this code-snippet saver which allows you to store, track and fully manage your bits of useful source with full support for syntax highlighting and drag-and-drop to Xcode or TextMate. The Mail-like interface should be quite accessible to everyone and the builtin search makes it pretty simple to find what you are looking for (especially if you’ve commented the snippets well). You can add a custom icon to each snippet and backup, export or share your library. The manual states that the app “will only store the data as long as [it] is running” but all my test snippets have been available across multiple launches. [10.5; Intel/PPC] Free?

Remember, drop me a note on Twitter (@hrbrmstr) or in the comments if there is something you’d like me to try!

Related research and analysis from GigaOM Pro:
Subscriber content. Sign up for a free trial.

• Content Farms: The Players, The Benefits, The Risks
• Why iPad 2 Will Lead Consumers Into the Post-PC Era
• The Near-Term Evolution of Social Commerce

The Mozilla crew have updated Firefox 3 and Firefox 2 to address security vulnerabilities and (in the case of version 3) bugs & usability issues, including fixes for Mac-specific bugs.

Firefox 3 had five security issues including two critical ones that could lead to either memory corruption or privilege escalation. Firefox 2 fixed nine security vulnerabilities, four of which were critical.

OS X users will see fewer problems with keyboard shortcuts, be able to enter Japanese, Korean, Chinese and Indic characters into Flash object text fields and store user profiles on AFP shares.

As I continue to use two browsers regularly (Firefox and Safari), Firefox continues to re-grow on me, especially with its rich extension support. If you do use non-Apple-provided browsers, it is vital that you stay on top of updates as you never know when you will find yourself surfing to a site with malicious content. Firefox makes it almost as simple as Apple’s Software Update by letting you choose between Help → Check for Updates… or setting up automatic update checking under Firefox → Preferences… → Advanced → Update.

If you’ve already upgraded, let other TAB readers know how you fared by dropping a note in the comments!

Related research and analysis from GigaOM Pro:
Subscriber content. Sign up for a free trial.

• Content Farms: The Players, The Benefits, The Risks
• Virtual Worlds: Trends and Opportunities
• Why iPad 2 Will Lead Consumers Into the Post-PC Era

Microsoft has stated that you should have installed the 12.1.1 Update prior to installing 12.1.2.

In similar fashion, Office 2004 has been updated to 11.5.1 which also has security, stability and performance fixes for Office 2004 Standard Edition, Office 2004 Student and Teacher Edition, Office 2004 Professional Edition, Word 2004, Excel 2004, PowerPoint 2004 and Entourage 2004. The 15MB download (English direct) is available via similar channels as the Office 2008 update.

Microsoft has stated that you should have installed the 11.5.0 Update prior to installing 11.5.1.

For what it’s worth: no problems on my end for Office 12.1.2, but I have not had an opportunity to do extensive testing. Since these updates do include security fixes (have I mentioned just how annoying it is when vendors mix security patches with other fixes?) you should install this immediately (after testing, if you’re in a more formal/larger production/working environment).

AutoUpdate should engage at some point today (it has not been populated as of this writing) and the direct links to the info-pages have not percolated to all of Microsoft’s web farm yet.

Let TAB readers know your post-update praises or woes in the comments!

Related research and analysis from GigaOM Pro:
Subscriber content. Sign up for a free trial.

• Content Farms: The Players, The Benefits, The Risks
• What Google’s Honeycomb Means for Apple and Microsoft
• The Future of Work Platforms: An Overview

• an Open Scripting Architecture (CVE-2008-2830) privilege elevation issue [10.4/10.5 Workstation & Server]
• a filename handling issue in CarbonCore (CVE-2008-2320) which may lead to an application Denial of Service (DoS) or arbitrary code execution [10.4/10.5 Workstation & Server]
• a web-exploitable CoreGraphics issue (CVE-2008-2321) that could lead to application DoS or arbitrary code execution [10.4/10.5 Workstation & Server]
• another CoreGraphics issue (CVE-2008-2322) with PDF rendering, leading to application DoS or arbitrary code execution [10.4/10/5 Workstation & Server]
• an issue with DataDetectors (CVE-2008-2323) where maliciously crafted content could lead to an application DoS [10.5 Workstation & Server]
• a really cool permissions issue with Disk Utility (CVE-2008-2324) that would have allowed local users to act with system privileges [10.4 Workstation & Server]
• an issue with OpenLDAP (CVE-2008-2952) where an attacker could have created an application DoS [10.4/10.5 Workstation & Server]
• another DoS potential in OpenSSL (CVE-2007-5135) if maliciously crafted bad packets are processed [10.4/10.5 Workstation & Server]
• five PHP 5 fixes [10.5 Workstation & Server]
• a QuickLook issue with Microsoft Office documents (CVE-2008-2325) causing either an application DoS or arbitrary code execution [10.5 Workstation & Server]
• two rsync vulnerabilities that may result in data access outside the module root [10.4/105 Workstation & Server]

The “big daddy” of this update is a fix for the DNS cache poisoning problem that has been in the Apple and general tech & security news recently. This is a pretty severe issue as DNS is the backbone of how systems & application get IP addresses from host names (so they know where to send you on the Intenet), and the ability to corrupt those databases means you really cannot trust where your network packets are going. Apple is the last major vendor to release a fix for this flaw and rightfully deserves some flack for it since they could have deployed the patch on July 8th with the majority of the other vendors, but chose to wait until this update bundle was ready to release.

OS X Server is the most likely candidate for actually running BIND (the process that manages DNS on a system) and you need to patch IMMEDIATELY if you are using it. It takes a bit of work to do this on plain-old Mac OS X, but you should run the update as soon as possible as well (especially for some of the other fixes).

A gaping hole still exists in OS X 10.3 and below you will need to do a bit of work (download, compile & install the package from the ISC by hand) if you are still running those systems and hosting DNS . While supporting older operating system releases presents a real challenge to companies like Apple & Microsoft, it is not unreasonable to expect there to be a decent number of 10.3 systems in the wild that need tending to and Apple should have done more to ensure coverage for those installations (or at least have provided a series of steps one could take to fix the issue).

Apple clearly dropped the ball here and has called into question their true commitment to security on their OS X platform or at least their ability to react quickly given all of the efforts they have in play. One also needs to remember that a version of OS X runs on the iPhone, iPhone 3G and iPod Touch and it is unclear whether the issues with CoreGraphics and DataDetectors exist on those platforms as well. It is much more difficult to both issue firmware updates and ensure decent update coverage with those mobile devices and Apple may need to come up with a way to deploy critical security fixes over-the-air directly to them rather than force consumers to do a full sync/update to remain secure.

The security update should show up in Software Update and is also available via direct download from Apple.

Let TAB readers know your take on how Apple handled this situation by dropping a note in the comments!

Related research and analysis from GigaOM Pro:
Subscriber content. Sign up for a free trial.

• Content Farms: The Players, The Benefits, The Risks
• Why iPad 2 Will Lead Consumers Into the Post-PC Era

The Security Update fixes 21 security issues in OS X 10.4 and 14 security issues in OS X 10.5. Fixes for especially nasty bugs include:

• CVE-2008-2309 which adds .xht and .xhtm files to the system’s list of content types that will be flagged as potentially unsafe under certain circumstances, such as when they are downloaded from a web page. While these content types are not automatically launched, if manually opened they could lead to the execution of a malicious payload. This update improves the system’s ability to notify users before handling .xht and .xhtm files.
  
• CVE-2008-2314 which disables hot corners when the screen lock is active (When the system is set to require a password to wake from sleep or screen saver, and Exposé hot corners are set, a person with physical access may have been able to access the system without entering a password prior to this fix.)
  
• CVE-2008-0960 which performs better validation of SNMPv3 packets (SNMP can be used to retrieve information about your system).

OS X 10.5.4 can be installed via Software Update or downloaded directly from Apple.

Users still running OS X 10.4.11 can also (along with the Security Update) look forward to a Safari 3.1.2 update as well, which includes a fix to a security issue (CVE-2008-2307) involving a memory corruption issue that exists in WebKit’s handling of JavaScript arrays. Without the patch, users who visit a maliciously crafted website may see unexpected application terminations or be vulnerable to arbitrary code execution. Apple engineers improved bounds checking to fix the problem.

If you have installed any of these updates, drop a note in the comments if you experienced any issues or if you can confirm whether a particular issue you have been seeing has been fixed.

Related research and analysis from GigaOM Pro:
Subscriber content. Sign up for a free trial.

• Why iPad 2 Will Lead Consumers Into the Post-PC Era
• The Near-Term Evolution of Social Commerce
• Content Farms: The Players, The Benefits, The Risks

As you may have read, this flaw is not capable of being exploited remotely, but multiple variants of a new Trojan (dubbed “AppleScript-THT”) are floating around the internets which wreak all sorts of havoc on your system once infected. Some install keystroke logging, usurp your iSight camera to take pictures or even capturing screenshots (some do much worse).

The Washington Post has a great blog post which gives a great amount of detail on the problem and even mentions a few solutions. The quickest way (until Apple releases a patch) to protect yourself is to open up a Terminal window and enter the following text:

If that was successful, then you should not see “root” when you paste this into the Terminal window:

osascript -e 'tell app "ARDAgent" to do shell script "whoami"';

SecureMac has updated MacScan to account for these new beasts and DAT updates from other vendors are forthcoming.

Until Apple releases a patch and you install it be very careful what you download and execute, both from your browser or chat clients.

If you have any questions or concerns, please drop a note in the comments and I will monitor this thread closely over the coming days to try to help as much as possible. Watch for a TAB post when Apple issues a fix.

Related research and analysis from GigaOM Pro:
Subscriber content. Sign up for a free trial.

• Content Farms: The Players, The Benefits, The Risks
• Why iPad 2 Will Lead Consumers Into the Post-PC Era
• The Near-Term Evolution of Social Commerce

Microsoft has been busy today, releasing security updates, announcing a new service pack and committing to restoring functionality to their Mac office suite.

Yep, It’s Patch Tuesday Again

Microsoft released security bulletin MS08-014 today that contains a patch to a remote code execution vulnerability effecting Microsoft Office 2004 & 2008 for Macintosh. Office 2004 is bumped up to version 11.4.1 and primarily contains security & stability fixes. Office 2008 bumps up to version 12.1.0 and includes security fixes along with a plethora of other improvements. Both updates are available via Office software update or via direct download from the aforementioned links.

Get Your Red Hot Office 2008 SP1!

Microsoft MacBU announced the availability of Office 2008 SP1 today in conjunction with the security patch. The 180MB download contains over 1,000 fixes including – what apparently was a major annoyance – the return of custom error bars and axis tick manipulation in Excel charts.

The full release notes are available for your perusal. Here are some other SP1 highlights:

Microsoft Office Excel

• Compatibility. Improved compatibility with files exchanged between Excel 2008 for Mac and Excel 2003 and Excel 2007 for Windows
• Custom Error Bars. Restored formatting option on the Error Bars panel for data series
• Printing. More reliable printing for elements on Excel 2008 workbooks

Microsoft Entourage

• Calendar. Significant enhancements to improve calendar view and all-day reminders with reoccurrence
• Exchange Server support. Overall improvement to synchronization support, including removing attachments from Exchange Server messages and synchronizing to the server, as well as support for editing the contents of Exchange Server messages via AppleScript and synchronizing the changes to the server
• E-mail images. Ability to send and view images in Entourage from third-party tools

Microsoft Office Word

• Printing. Improved accuracy when orienting tables with cell shading
• Document map. Improved reliability and responsiveness to select items
• Notebook layout. Updated formatting, recording status and a variety of display options

Microsoft Office PowerPoint

• Printing. Improvements to eliminate crashing when printing documents to high-dpi printers and increased overall printing speed by 10 times on some large presentations
• Mobile viewing. Ability to view Mac .PPTX files on Windows Mobile phones
• AppleScript. Ability to use the PowerPoint selection object in AppleScript to implement custom scripts that operate on the current selection in PowerPoint

Restoring Functionality (& Vulnerabilities)

Microsoft’s MacBU also announced (official press release) the return of Visual Basic for Applications (VBA) support to the next major release of Office for Mac. This is a mixed bag since VBA macros are a juicy vector for vulnerabilities but that same functionality is critical to many business processes that have been developed using the suite.

From the announcement:

Sharing information with customers as early as possible continues to be a priority for the Mac BU to allow customers to plan for their software needs.2 Although the Mac BU increased support in Office 2008 with alternate scripting tools such as Automator and AppleScript — and also worked with MacTech Magazine to create a reference guide, available at http://www.mactech.com/vba-transition-guide — the team recognizes that VBA-language support is important to a select group of customers who rely on sharing macros across platforms. The Mac BU is always working to meet customers’ needs and already is hard at work on the next version of Office for Mac.

When you install the security update or try out SP1, drop a note in the comments with your experiences and definitely let us and the MacBU know if they didn’t fix any of the issues you were having pre-SP1. Also, if you have any thoughts on the revival of VBA for Mac Office make sure to let us know in the comments as well.

(post updated to fix version errors & links)

Related research and analysis from GigaOM Pro:
Subscriber content. Sign up for a free trial.

• Content Farms: The Players, The Benefits, The Risks
• Why iPad 2 Will Lead Consumers Into the Post-PC Era
• The Near-Term Evolution of Social Commerce