MobileMe subscribers finally get nearly instant synchronization of their contacts, calendars, and bookmarks with the latest Mac OS X 10.5.6 Leopard update. Deep in the release notes, Apple writes that these items “automatically sync within a minute of the change being made on the computer, another device, or the Web at me.com.”
Apple was criticized after the launch of MobileMe for promising that items would synchronize immediately from every source when changes were made. Apple later apologized, and said that desktop software would have a lag of as long as 15 minutes. The company stopped using the term “push” to describe its software, and said it wouldn’t describe it that way until they’d improved performance. (See “MobileMea Culpa: Apple Apologizes and Explains Tiger Situation,” 2008-07-16.)
Fixing the TARDIS — The rest of the update contains little of note, despite a variety of fixes to very specific bugs and flaws. One might take some heart from the Time Machine section, which has two items:
- Fixes issues that could cause Time Machine to state the backup volume could not be found.
- Improves Time Machine reliability with Time Capsule.
Well, alrighty, then. I know of a number of people (including myself) who have suffered unrecoverable corruption on their Time Capsule backup images, and even after wiping the drive or erasing the images, still experience recurring corruption. That’s obviously unacceptable. Maybe this update fixes that problem? This is when it would be nice to have some narrative to go along with the executive summary.
Fixes for Age-Old Exploits — Apple also released Security Update 2008-008, which fixes a variety of frightening-sounding exploits, as well as this surprising problem with Safari:
"Safari allows Web sites to set cookies for country-specific top-level domains, which may allow a remote attacker to perform a session fixation attack and hijack a user's credentials. This update addresses the issue by performing additional validation of domain names."
Why scary? Because this problem has been known for many years. The major generic top-level domains, initially controlled by the United States, include .com, .net, .org, and so forth. Other nations, like the United Kingdom and Australia, opted to put top-level categories to the left of their country codes: .co.uk, .com.au, and so forth.
This means that in the .co.uk hierarchy, if a cookie were set to .co.uk, any site with a .co.uk suffix would be sent that cookie by a browser. Browsers have typically limited cookies to tertiary domain names outside of the generic top-level domains for that reason. Amazon UK might set a cookie for amazon.co.uk, but a browser wouldn’t deliver that cookie anywhere else.
Some countries allow anything to the left of their country code, however, which results in a problem when a server sets a cookie for a secondary domain name, after which a malicious site could read all secondary domain cookies. It’s too bad that when browser development was in its infancy, no standard for cookie/domain interaction was formalized. Unfortunately, a next-generation cookie specification that would address this and other security issues has languished.
Downloads — Mac OS X 10.5.6 is available via Software Update and as a standalone updater for Leopard (372 MB) and Leopard Server (469 MB), as well as a combo updater, which has all updates from 10.5.1 through 10.5.6 for both Leopard (Apple says 71 MB, which must be a typo – 710 MB is more likely!) and Leopard Server (883 MB).
Security Update 2008-008 is incorporated into the 10.5.6 update. Many of the security fixes are also available for Mac OS X 10.4 Tiger, with separate updates for PowerPC (71.6 MB) and Intel (163.2 MB) models running client and server (133 MB). Use Software Update to ensure you get the correct version.