Mac OS X 10.0.2 and iTunes 1.1.1. Add CD Burning -- Apple last week released its second free update for Mac OS X via the Software Update control panel, improving overall application stability and adding the capability to burn custom music CDs. For a more complete list of changes, see Apple's Tech Info Library article on the update. (As always, it's a good idea to back up your data before upgrading your system software.)
At the same time, the company released a free update to iTunes for Mac OS X that enables the audio CD burning feature. The new iTunes 1.1.1 also enables the full-screen graphics display feature that previously worked only in Mac OS 9. Burning audio CDs in iTunes 1.1.1 isn't without its quirks - iTunes should be set to only 2x burn speeds when using USB CD-RW drives, and burning audio CDs can fail if your Mac or even just the display goes to sleep while iTunes is burning, so set the sleep time to Never in the Energy Saver control panel and make sure "Separate timing for display sleep" is not selected.
One odd side effect of installing the Mac OS X 10.0.2 update is that on at least some systems (including my PowerBook G3/250), it enables the internal speaker even when external speakers are plugged in. The software volume controls affect only the internal speaker; the external speakers can be controlled only if they have an independent volume control. Although some might appreciate the stereo-plus-one sound, in many public situations, it's inappropriate to send sound out the internal speaker when headphones are plugged in. [ACE]
Mac OS X 10.0.2 Fixes FTP Vulnerability -- Apple says Mac OS X 10.0.2 also features a newer version of the ftpd FTP server. Does this fix the FTP vulnerability identified by CERT several weeks back (see "TenBITS/23-Apr-01" in TidBITS-577 for more information)? Our repeated requests for additional information from Apple have gone unanswered; all Apple has posted in public is that Mac OS X 10.0.2 has "a new version of Internet file sharing (ftpd), which features important security improvements." Luckily, Larry Rosenstein <email@example.com> verified on TidBITS Talk that the version of the Mac OS X 10.0.2 ftpd server was the same as the most recently updated version of the ftpd server in the Darwin open source repository. It's probably safe to assume that Apple (or someone else working on the Darwin open source) has effectively closed the FTP security hole, and it's great to see Apple distributing a fix so quickly. Still, at the risk of sounding like a broken record (an analogy which undoubtedly shows my age), Apple needs to be more forthcoming with acknowledgments of problems to security groups like CERT. [ACE]
Sudo Security Hole -- The Stepwise site (which also had early information about some of the Apple Mac OS X installer bugs we reported on last week) has posted information about a security issue in the sudo command line program that enables Mac OS X users to execute Unix commands as the root user without logging into or even enabling the root user. Unfortunately, as with so many other security lapses, it turns out that the version of sudo shipped with Mac OS X is vulnerable to a buffer overflow that could enable an authenticated user (either in front of the machine or connecting via SSH or Telnet) to gain increased privileges. The problem first appeared 23-Apr-01, and although Apple didn't address it in last week's Mac OS X 10.0.2 update, the author of sudo has already issued a patch, and Scott Anguish of Stepwise has built a custom installation application (122K download) to replace Mac OS X's version of sudo. [ACE]
DragThing 4.0.2 Fixes Crashes -- James Thomson has released a bug-fix update to his alternative dock utility DragThing to address several crashes in Mac OS X, a problem with DragThing clearing the login items at startup (see James's explanation of this in TidBITS Talk for more details), and a few other less important bugs. The upgrade to DragThing 4.0.2 is free for DragThing 4.0 users; it's a 1 MB download. [ACE]
PowerMail 3.0.9 Supports Mac OS X -- The tiny Swiss company CTM Development has revved their email client PowerMail to add a few features, fix a few bugs, and most important, provide Mac OS X compatibility (specifically with Mac OS X 10.0.1 and later). As with most of the other products made compatible with Mac OS X, PowerMail 3.0.9 has a few unresolved issues such as occasional crashes related to find-by-content indexing, an error while copying and pasting, and printing problems with StyleWriters. The free update to PowerMail 3.0.9 is available in a "classic" version for Mac OS 8 and Mac OS 9 (1.9 MB download) and a Carbon version for Mac OS X (2.0 MB). [ACE]
QuickDNS Pro Eases DNS Setups on Mac OS X -- DNS, the Domain Name Service that maps Internet IP numbers like 22.214.171.124 to human-readable names like www.tidbits.com, is not for the faint of heart. Type one character wrong during an edit and your entire Internet domain could become inaccessible. Making DNS easier to set up and maintain has long been one of the goals of Men & Mice's QuickDNS Pro for the Mac, and now, the just-released QuickDNS Pro 3.5 for Mac OS X brings that ease of use to Mac OS X. QuickDNS Pro actually has two parts - the graphical QuickDNS Manager and the server-side utility QuickDNS Remote, which enables QuickDNS Manager to configure the Unix BIND 8.2.3 DNS server included with Mac OS X, Red Hat Linux 6.2 and 7.0, and SuSE Linux 6.3, 6.4, and 7.0. QuickDNS Pro 3.5 for Mac OS X costs $350 for a single license and $550 for two licenses; upgrades from version 2.x are $195 and volume discounts are available. [ACE]