Previous Issue | Search TidBITS | TidBITS Home Page | Next Issue
It's been a busy Mac week. Apple updated most applications in iLife '06 and released Mac OS X 10.4.5, and then announced that the MacBook Pro has begun shipping - with faster processors than originally promised. However, two new Mac malware threats, Leap-A and Inqtana-A, hogged the spotlight. Although neither is particularly dangerous, Matt Neuburg looks at the weakness that Leap-A is exploiting. Also in this issue, we note the releases of iKey 2.2 and Camino 1.0.
Copyright 2006 TidBITS: Reuse governed by Creative Commons license
<http://www.tidbits.com/terms/> Contact: <firstname.lastname@example.org>
This issue of TidBITS sponsored in part by:
READERS LIKE YOU! Support TidBITS with a contribution today!
Special thanks this week to George Howe, Donald Kaiser,
Jim Pistrang, and Thomas Rademacher for their kind support!
Make friends and influence people by sponsoring TidBITS!
Put your company and products in front of tens of thousands of
savvy, committed Macintosh users who actually buy stuff.
For more information and rates, email <email@example.com>.
SMALL DOG ELECTRONICS: Used iPods On Sale!
20 GB (4th gen) - $174; 20 GB (Color display) - $219
2 GB nano - $169; 6 GB mini - $199; shuffle - $45
Visit: <http://www.smalldog.com/> 800-511-MACS
FETCH SOFTWORKS: With Fetch 5, FTP and SFTP are simpler
than ever. Use it on Mac OS X to upload, download, mirror,
and manage your Web site, eBay images, and data sets.
Download your free trial version! <http://fetchsoftworks.com/>
Web Crossing, Inc: Web Crossing offers integrated collaboration
tools with a broad spectrum of functionality, but did you know
adding discussions, blogs, podcasts, chat, polls, and calendars
is point-click easy? Try a demo! <http://www.webcrossing.com/>
StuffIt Deluxe 10 from Allume Systems supports Automator,
compresses JPEGs up to 30%, enables Spotlight to search in
archives, can make self-extracting archives, and more!
Upgrade for only $29.99! <http://www.stuffit.com/mac/deluxe/>
ROGUE AMOEBA SOFTWARE: With a Name Like Rogue Amoeba,
It's Gotta Be Good. Good software with a bad attitude,
only for Mac OS X. Free downloads from
Circus Ponies NoteBook: Never lose anything again. NoteBook
lets you take notes, clip content, and share information. Find
anything instantly with automatic index pages. One-step Web
publishing. Free 30-day demo! <http://www.circusponies.com/>
Mac OS X 10.4.5 Fixes Nits -- Apple last week released Mac OS X 10.4.5, a bug-fix update that offers oodles of small changes. Most notable are a fix that prevents Safari from crashing when deleting AOL email messages via AOL webmail, proper functioning of Apple's IPsec VPN client with Cisco servers whether or not NAT (Network Address Translation) is used, a fix for synchronizing with an iDisk larger than 4 GB, and a fix that enables some previously problematic Epson printers to be used successfully via an AirPort Extreme base station. A number of changes affect only Intel-based Macs, including two fixes to Rosetta: one that enables applications to open files located via the search field in Open dialogs and another that enables Rosetta-translated applications to receive Keychain notifications correctly. Many of the other changes are cosmetic (Fast User Switching's rotating cube now appears as expected on primary and mirrored displays) or highly specific (the Setup Assistant no longer crashes if Kotoeri is selected as the keyboard type following an English language installation of Mac OS X). Mac OS X 10.4.5 is available as separate delta updates for Mac OS 10.4.4 (16 MB for PowerPC, 98 MB for Intel), and as a 125 MB combo update for PowerPC-based Macs that will update any previous version of Mac OS X 10.4. The delta update via Software Update is only 6.4 MB for PowerPC-based Macs, while the update for Intel-based Macs is 40 MB. [ACE]
MacBook Pro Ships at Higher Speeds -- The MacBook Pro starts shipping last week with faster processors than promised. Apple said pre-orders started moving out 14-Feb-06 and will be available in retail Apple Stores and resellers. However, anecdotal evidence suggests that Apple's idea of "shipping" referred to the laptops leaving the factories in Asia, since as of press time it appears the first orders are due to arrive in customers' hands early this week.
The 15-inch laptop was originally announced to include a 1.67 GHz Intel Core Duo processor, but Apple said that the lowest speed to ship is now 1.83 GHz (the former top speed for this model; see "Intel-Based iMac and MacBook Pro Ship Earlier than Expected" in TidBITS-812 for the machine's full specifications). The higher-speed standard model now features a 2.0 GHz processor, which can be reconfigured to have a 2.16 GHz processor for an extra $300 - that's $300 for a one-twelfth faster processor. The 1.83 GHz model does not offer the processor speed bump as a build-to-order option. Apple said that outstanding pre-orders can be tweaked for faster speeds. (However, if your machine has already shipped that might be problematic!) [GF]
iKey 2.2 Adds Double-Key Hotkeys, USB Device Events -- Script Software has released iKey 2.2, the latest version of their automation utility. Most notable among the new features is one I requested: double-key hotkeys that enable you to invoke a shortcut that chooses the Save As menu item, for instance, when you press Command-S-A (that's pressing Command-S, letting up on the S, and pressing A quickly). This is a brilliant feature I found utterly addictive in Nisus Writer Classic (it's also available in a limited fashion in Microsoft Word's internal keyboard customization, and in QuicKeys X3 from Startly Technologies), and it makes assigning memorable hotkeys to a constantly proliferating set of shortcuts far easier. Also new in iKey 2.2 are USB device events that let you invoke shortcuts using the various buttons and scroll wheels on USB devices attached to your Mac (unfortunately, you can't use a USB device event if you have another USB driver such as USB Overdrive installed). iKey 2.2 now saves the contents of the clipboard automatically before invoking certain clipboard commands and restores those contents afterwards; two new clipboard commands give you manual control over saving and restoring clipboard contents. It's easier to attach icons to your shortcuts, floating menus no longer include system contextual menu items, Apple's Backup application can now save iKey's settings, iKey warns you if there's a conflict between any of your hotkeys and system hotkeys, and a new version of my "Take Control of iKey 2" manual documents all the changes. iKey 2.2 is a free upgrade for registered users and new copies cost $30; it's a 4.8 MB download and is available as a universal binary for users of both PowerPC- and Intel-based Macs. [ACE]
El Camino Becomes Real -- Even though Camino has been in development and available in one form or another for several years, the free, open-source Camino Web browser celebrated its 1.0 birth on Valentine's Day (14-Feb-06). With its roots in the same Mozilla development project that brought us Firefox and connections to Safari (Camino was originally called Chimera, and one of the primary Chimera developers went to Apple to work on the browser that became Safari), Camino offers the fast, lightweight Gecko rendering engine and a suite of modern browser features that may make it a prime candidate for your primary browser. Camino 1.0 supports tabbed browsing, pop-up and advertisement blocking, page security warnings, large picture scaling, a clean downloads experience, and broad media player support.
Users who are happy with Safari, Firefox, or another favorite browser may still want to try Camino for its excellent rendering speed and integration with Mac OS X. Camino 1.0 is a universal binary, optimized for use on both PowerPC and Intel Macs. It requires Mac OS X 10.2.8 or later, and is available as a standard download (14.2 MB) or a multilingual download (19.5 MB) that supports Danish, Dutch, English, French, German, Italian, Japanese, Polish, Portuguese (for Brazil or Portugal), Russian, Slovak, and Swedish. [MHA]
by Adam C. Engst <firstname.lastname@example.org>
Apple released updates to five of the six applications that make up the iLife '06 suite last week, providing bug fixes and minor enhancements for iPhoto, iMovie HD, iDVD, iWeb, and iTunes. Details remain scarce, but Apple claims that iPhoto 6.0.1 (a 13.7 MB download) fixes bugs related to photocasting; viewing thumbnails in large libraries; and ordering cards, calendars, and books. iMovie HD 6.0.1 (52.6 MB) resolves problems with the rendering performance of the Ken Burns Effect, editing performance with the Scrubber Bar, and image quality in iMovie's themes. iDVD 6.0.1 (5.3 MB) fixes integration troubles with other iLife applications, importing of legacy projects, and some theme-related issues. iWeb 1.0.1 (19.1 MB) addresses issues related to publishing and blogs. Lastly, iTunes 6.0.3 (18.7 MB) contains stability and performance improvements over the previous version. All of the updates reportedly fixed "a number of other minor issues" as well, and I suspect that those bug fixes may in fact be the most welcome.
When I first tried to run these updates, a dialog kept popping up, telling me to quit iWeb before installing the update. The only problem was that iWeb was not running, and launching and quitting it again made no difference. Restarting my Mac and running Software Update again did solve the problem, but the only reason it worked is that OmniWeb wasn't running when I tried the update the second time. I should have remembered instantly, since I'd seen this problem some months ago when trying to update iTunes: if there is any running application whose process name contains the name of an iLife application, the updater will fail in this manner, since Apple's code isn't very smart about checking names. So, in the case of iWeb, notice that "OmniWeb" contains "iWeb" and in the case of iTunes, my problem was caused by the SizzlingKeys preference pane (which lets you control iTunes from the keyboard in any application), since its process name is "SizzlingKeys4iTunes". To determine what application might be causing the problem, launch Activity Monitor, select All Processes from the Show pop-up menu, and in the Filter field, type "iWeb". If you're comfortable at the command line, type the following line into Terminal:
ps -aux | grep iWeb
Either way, if your search finds anything, quit the offending application and run the update again.
by Mark H. Anbinder <email@example.com>
A malicious file uploaded early this week to the MacRumors Forums site is a Trojan horse designed to fool Mac users into thinking they'll get to see preview pictures of Mac OS X 10.5 Leopard, the next version of Apple's operating system software. Instead, the file, named "latestpics.tgz," attempts to send itself to the user's iChat contacts, and damages applications on the user's computer. Your computer can't be infected unless you open the file.
Andrew Welch of Ambrosia Software appears to be the first to post a thorough analysis of the malware, which he dubbed "Oompa-Loompa," or "OSX/Oomp-A" in the standard taxonomy. Both Sophos and Symantec appear to be using the name "OSX/Leap-A," and both are offering definition downloads.
Welch says Leap-A appears to try, but fail, to spread itself through other applications the user launches. The resulting damage to these applications renders them unusable.
The easiest thing you can do to protect your computer is not download and open "latestpics.tgz" or any other archive you're not expecting. If you receive a file via email or instant message that you're not expecting, even from someone you know, always ask before opening it. This malware can't spread itself; it relies on a "social engineering" to trick users into activating it. (See "Are Input Managers the Work of the Devil?" elsewhere in this issue for more on the vulnerability that Leap-A is exploiting.)
If you run anti-virus software, make sure it is set to obtain updates automatically at least weekly, or check manually for updates over the next few days. Dan Adinolfi of Cornell University's IT Security Office has provided the first two links to Sophos's and Symantec's pages, which offer a growing set of info about the Trojan horse. Macworld has also posted a Leap-A FAQ.
Shortly after Leap-A made headlines, a second piece of malware appeared. Inqtana-A is described as a Java-based proof of concept that takes advantage of an old Bluetooth vulnerability in Mac OS X. If you've applied the Apple Security Update 2005-006 for Mac OS X 10.3.9 and Mac OS X 10.4.1 or the general Mac OS X 10.4.1 release, then your Mac is unaffected by Inqtana-A.
Although both threats are minimal - especially compared to far more dangerous malware that Microsoft Windows users encounter - they've served as a reminder to the Mac community that no computer system is entirely immune to Trojans, worms, and viruses.
by Matt Neuburg <firstname.lastname@example.org>
The recent flap over the Leap-A malware raises the question of whether Mac OS X is fulfilling its promise as a rock-solid system with a stable, unmodifiable base (see "Two Mac Malware Threats Sighted," elsewhere in this issue). The straw man here is Mac OS 9 and earlier systems, on back through System 6. In those days, you may recall, users could install third-party files called INITs (or extensions) which loaded during startup and modified the behavior of the System. A malicious or buggy INIT could easily destabilize the whole computer or make applications behave in unexpected ways; this could be troublesome both for users, who might find the computer behaving mysteriously, and for developers, whose applications might crash through no fault of their own. If you can't rely on the System to be the System and nothing but the System, what can you rely on? Unfortunately many third-party INITs were really cool and using them was irresistible. People used to manage the inevitable resulting problems through a mixture of guesswork and extension managers, but we all knew, as four rows of INITs marched proudly across the screen during startup, that we were lucky if the computer worked at all.
In Mac OS X, on the other hand, there are no INITs, and the system files are protected by permissions. Thus, in theory, Mac OS X is much less susceptible to customization than earlier Apple systems. That may be disappointing (personally, I'd kill for a Mac OS X version of Menuette!), but the trade-off is the assurance that there is just one System - once I tell you what version of Mac OS X I'm running, you know exactly how it behaves in every fundamental respect.
But do you? I sometimes get the feeling that Mac OS X is just as full of customization holes as earlier systems were. In fact, Mac OS X may be worse than earlier systems, because those customization holes are harder to track than INITs were, and because the feeling of security misleads the user into a misplaced confidence. In reality, no one has a pristine System, and keeping the System even somewhat pristine requires constant vigilance. In an earlier article I talked about the security concerns represented by the Launch Services architecture and URL schemes (see "Explaining the URL-Based Mac OS X Vulnerability" in TidBITS-731). The Leap-A malware exploits a more insidious and powerful device, the Input Manager.
An Input Manager is, in theory, merely an aspect of text input. It is through an Input Manager, for example, that Japanese input is enabled on Mac OS X: effectively, the system watches as you type or work in the input palette, suspending judgment about the text being entered until you've supplied enough information, and thus you can enter characters from a repertoire vastly larger than the number of keys on a keyboard. Developers can create their own Input Servers, which embody the functionality of Input Managers and make themselves available to all applications.
The trouble is that Input Managers "make themselves available to all applications" through being injected by the System into every application as it starts up. Thus an Input Manager is a general, legal method to modify application behavior. Naturally it didn't take long for the thought to occur to someone that such modification need have nothing to do inputting text! Thus, Input Managers - or, at least, bundles of code installed in a Library's InputManagers folder - are the basis of many popular hacks, including StuffIt Deluxe's MagicMenu feature, CocoaGestures, Smart Crash Reports, certain Growl Extras, PithHelmet (and SIMBL), Saft, Inquisitor, and many others (as those last examples show, this is a particularly popular way to hack Safari). And Input Managers lie at the heart of how Leap-A works.
The reason this is such an easy vector for Leap-A to take advantage of is that no special permissions are required for an application to install an Input Manager into your ~/Library/InputManagers directory, nor (if your User is an admin, or if you give an admin password when requested) in the system-wide /Library/InputManagers. It can thus affect all subsequently launched applications, forever (or until you notice the unwanted Input Manager, delete it, and log out). It has been argued that this architecture represents no greater security hole than the maliciousness that any application might represent; after all, if I can get you to download and run my application, my application can delete everything in your User directory before you can say Jack Robinson. That's true, but it's also true that an Input Manager is code that you _don't_ consciously run. It blindsides you; it's just "there," invisibly, affecting everything you _do_ run, without your knowing what it does, where it is, or how it got there. Even in the absence of malice, a badly written Input Manager installed at a high enough level can render the computer completely unusable. Gosh, it's just like in the good old days of System 6, isn't it?
Unfortunately, it would require serious rethinking of the Mac OS X architecture to put this genie back in the bottle. Surely Apple has long known that Input Managers might be used maliciously; to do nothing about this possibility is to hope that they won't be so used, and hope, while it may spring eternal, is not an effective security technique. Indeed, something suspiciously similar to Leap-A was announced as a proof-of-concept for the malicious use of Input Managers back in July of 2005; one can hardly be surprised at its present reification. (Even more suspiciously, the original article has been taken down.)
Before the identification of Leap-A, a discussion of Input Managers caught my attention because, embarrassingly, silent installation of an Input Manager is performed by Path Finder, an application that I had previously recommended. This discussion included various suggestions for coping with unwanted Input Managers, including simply locking down the InputManagers directories by assigning them prohibitive permissions. (Already there's an "OompaLocker" AppleScript available to do exactly that.) Such measures seem extreme, but the chances that Apple will do anything to stem the spread of such unwanted silent installations are vanishingly small. So what's a user to do? What I would ideally like is an application that would occasionally comb certain key folders (InputManagers, StartupItems, Extensions - any others?) to see whether anything has been recently installed there, and perhaps something that I could run before and after installing any new piece of software to learn what was installed where. (Yank is said to be an application of the second type, but I haven't tried it.) Apart from that, I suppose we'll all just have to keep muddling along as usual, hoping that Mac OS X is reasonably safe under most circumstances.
by Adam C. Engst <email@example.com>
"Take Control of Digital TV" Update Offers Current Info -- Looking for help with buying a new digital TV? Curious about the many ways to bring HDTV programming into your home? Turn to Clark Humphrey's freshly updated "Take Control of Digital TV" to find concise explanations, a road-map for buying a new TV, a current listing of which programs and stations offer HD content, and much more. New in this free update are additional graphics explaining how TV screens accommodate different image aspect ratios; details on the official schedule for turning off analog telecasts in the United States; a look at some promising new TV receiver technologies; an updated discussion of new and forthcoming high-definition (HD) broadcast programming and cable/satellite channels; a quick look at FIOS, a nascent attempt by U.S. local telephone companies to compete with cable and satellite TV; and info about MovieBeam, a new pay-per-view service that could replace trips to your local video rental store.
Joe Kissell Interviewed about Apple Mail by Hawk Wings -- Hawk Wings, a Web site devoted to all things about Apple Mail, recently interviewed our very own Joe Kissell, author of three Take Control ebooks about Apple Mail. In the interview, Joe reveals his two favorite Mail add-ons, discusses new features he'd like to see in future versions of Apple Mail, and more. (If you're wondering why the site is called "Hawk Wings," look closely at the Mail icon.)
by TidBITS Staff <firstname.lastname@example.org>
The first link for each thread description points to the traditional TidBITS Talk interface; the second link points to the same discussion on our Web Crossing server, which provides a different look and which may be faster.
Paperless Office Quote -- A search for the origin of a quote on the "paperless office" sparks discussion about whether we'll ever stop working with so many dead trees. (23 messages)
iWeb and filename length -- iWeb can create filenames longer than 64 characters, causing problems with some Web servers. (2 messages)
Non-iPod MP3 Players on a Mac -- What are the options for using a portable music player that's not an iPod? (4 messages)
Dial-Up Router -- What wireless options are available when your only Internet connection is via dial-up modem? We look at a few routers that incorporate modems. (2 messages)
Power Outlets in Airports -- Adam's article bemoaning the lack of power outlets in airports prompts suggestions for working around the problem. (4 messages)
Power in the wild -- Uninterruptible power supplies can help provide power when working in the field (for charging camera batteries, for example), but some models are more configurable than others. (4 messages)
OmniGraffle vs. other diagramming programs -- Matt Neuburg's recent look at OmniGraffle makes some readers wonder how it compares to similar tools. (9 messages)
iWeb '06 install issue -- A problem that we ran into while installing the iWeb 1.0.1 update appears to be related to how Apple's installer is determining which applications are running. (4 messages)
OmniGraffle vs Mail.app -- Apple's Mail application sometimes mistakenly opts to save attachments within Finder bundles. (4 messages)
Non-profit, non-commercial publications and Web sites may reprint or link to articles if full credit is given. Others please contact us. We do not guarantee accuracy of articles. Caveat lector. Publication, product, and company names may be registered trademarks of their companies. TidBITS ISSN 1090-7017.
Previous Issue | Search TidBITS | TidBITS Home Page | Next Issue