Thoughtful, detailed coverage of the Mac, iPhone, and iPad, plus the best-selling Take Control ebooks.

 

 

Pick an apple! 
 
Avoid Simple Typos

If, like me, you find yourself typing 2911 in place of 2011 entirely too often, you can have Mac OS X (either Lion or Snow Leopard) fix such typos for you automatically. Just open the Language & Text pane of System Preferences, click the Text button at the top, and then add a text substitution by clicking the + button underneath the list. It won't work everywhere (for that you'll want a utility like Smile's TextExpander), but it should work in applications like Pages and TextEdit, and in Save dialog boxes.

Submitted by
John W Baxter

 
 

Security Holes: Two Closed, One Opened

Send Article to a Friend

Apple last week released AirPort Extreme Update 2007-001, fixing a problem on Core Duo-based Mac minis, MacBooks, and MacBook Pros that could cause crashes or worse. The fix is related to a number of other repairs to low-level wireless hardware drivers that Apple made last year in response to a proof-of-concept exploit that could - theoretically - have enabled a nearby attacker to hijack a Mac via its wireless connection (see the series "To the Maynor Born: Cache and Crash").

If Software Update offers you the AirPort Extreme Update 2007-001, you should install it for safety's sake, and because it may fix some other bugs, but the likelihood of the security hole being exploited is nil. If you see any new problems after updating (we've heard a few anecdotal reports), check out MacFixIt's wireless troubleshooting tutorial. The update is a 7.4 MB download available via Software Update or as a standalone download.

Apple also released Security Update 2007-001, which resolves a possible exploit related to how QuickTime 7.1.3 handles RTSP URLs. The bug was identified by Kevin Finisterre and the pseudonymous "LMH" of the Month of Apple Bugs project. It's a 5.9 MB download available via Software Update or as separate downloads for Mac OS X 10.4 Tiger and Mac OS X 10.3.9 Panther.

Meanwhile, the Month of Apple Bugs project has found another bug that has captured the interest of people in the security community whose opinions I value. It turns out that Mac OS X's Software Update, when fed a file with a sufficiently malformed name, can be caused to crash or - in theory - to execute that bugaboo of the security crowd, "arbitrary code." (In other words, Software Update could be caused to run code that could replicate itself, delete data, or have other harmful effects. I say "in theory" because there's no known way yet to make that happen, but it's possible.)

Although the demonstration of the bug on the Month of Apple Bugs page doesn't work in my testing, a source showed me a variant that did demonstrate that Software Update improperly handles malformed file names. If a bad guy could figure out how to embed dangerous code in a malformed file name, that file could be fed to Software Update via a link you clicked in a Web browser or through an email attachment you opened. Turning off Software Update won't make any difference, and in fact, there's nothing users can do to eliminate the risk of being exploited. Luckily, that risk is very low.

Apple should fix the bug, as it did with the QuickTime bug, and Mac users should continue to be careful about clicking links on dodgy Web sites, avoid opening email attachments from unknown senders, and install security updates when released by Apple. As is usually the case, the revelation of this bug changes nothing for the Macintosh community; basic safe computing provides all the security necessary to render this potential exploit moot.

 

Make friends and influence people by sponsoring TidBITS!
Put your company and products in front of tens of thousands of
savvy, committed Apple users who actually buy stuff.
More information: <http://tidbits.com/advertising.html>