Mac OS X 10.5 Leopard arrives on Friday, and this issue is packed with as much information as we can reveal (while still under NDA) about Apple’s next operating system. Matt Neuburg sorts through Apple’s list of 300 features to pick the best and worst of the lot. Rich Mogull examines some specific under-the-hood security improvements that may make your Mac dramatically more secure. Sharon Zardetto passes on some advice for those who still have important fonts in Classic. Apple Remote Desktop 3.2 and QuicKeys X3 3.2 both provide bug fixes and Leopard compatibility. And we’ve started selling the early-bird edition of Joe Kissell’s “Take Control of Upgrading to Leopard,” with pre-orders also now open for Matt Neuburg’s “Take Control of Customizing Leopard;” both titles will ship in full as soon as Leopard becomes available. A few non-Leopard bits managed to sneak into the issue, too: Apple’s quarterly earnings call revealed a record number of Macs sold, Apple announced that Orange will be the exclusive iPhone provider in France, and Steve Jobs confirmed that an iPhone software development kit is in progress and will be available in February 2008. If that weren’t enough, Apple reduced the price of iTunes Plus tracks from $1.29 to $0.99, and Tonya shares some tips for those who have trouble with links in PDFs.
If you’re thinking that Apple has transformed itself into an iPod company that also makes computers, it’s time to realign your view. The company reported today that for the fiscal quarter ending 29-Sep-07, it shipped 2,164,000 Macintosh computers, besting last quarter’s record by 400,000 (see “Apple Marks Best Quarter of Mac Sales for Q3 2007,” 2007-09-07). One year ago, Apple shipped a then-record of 1.61 million Macs. This year’s shipments helped Apple bring in $904 million in profit on revenue of $6.22 billion.
Don’t expect the iPod division to be shuttered just yet, however. Apple sold 10.2 million iPods, compared to 9.81 million in the last quarter and 8.73 million in the year-ago quarter. But the more interesting number is the iPhone, which sold 1,119,000 units during the quarter to bring the total sales to 1,389,000 (the discrepancy comes from the first 30 hours the iPhone was sold, which was at the end of the previous fiscal quarter).
Apple also noted that international sales accounted for 40 percent of the revenue for the quarter. Apple CFO Peter Oppenheimer said that Apple finished the fiscal year with $15.4 billion in cash and no debt, and expects revenue of about $9.2 billion for the first fiscal quarter of 2008.
Apple has announced that Orange, a brand of France Telecom, will be the exclusive carrier and distributor for iPhones sold in France. This came as little surprise, since France Telecom CEO Didier Lombard had said as much, unofficially, at a conference in September – a move that, according to industry sources, greatly upset Steve Jobs. With the official announcement, however, comes news of the price (399 euros, or roughly $565 – including 19.6% V.A.T. – for the 8 GB iPhone) and the release date (29-Nov-07).
The 399 euro price requires a “subscription to one of the dedicated rate plans,” though it was unclear from Orange’s Web site which of their existing plans, if any, will qualify. The iPhones sold via Orange for 399 euros will be locked to that carrier. However, French law contains several provisions that may make the situation more interesting for Apple and Orange. As I understand it – and I hasten to point out that I’m no expert – one rule is that any phone sold with a carrier lock must also be made available in an unlocked version (even if at a higher price). Another rule stipulates that a carrier must unlock a cell phone at the owner’s request – for a fee if within the first six months of a contract, and for free thereafter. So it
appears as though legally unlocked iPhones will become available in late November – as long as you’re willing to pay a premium (and, if applicable, import your phone from France). In fact, an Orange spokesperson confirmed to the International Herald Tribune that Orange would be selling an unlocked iPhone at an unspecified higher price.
I’ll be watching the news on this topic carefully, as I continue to hope that Père Noël sees fit to put an iPhone in my stocking on Christmas (or even a bit early), preferably without committing me to monthly fees that will break the bank!
Steve Jobs has become rather chatty these days, the latest example of which is last week’s brief “letter” posted without a permanent link (but reproduced in “Steve Jobs’s iPhone SDK Letter,” 2007-10-17) in Apple’s Hot News section, in which the Apple CEO announced that a third-party software development kit (SDK) for the iPhone and the iPod touch will be released in February 2008. (See “Apple Nearing iPhone Third-Party Developer Announcement,” 2007-10-10, for our scoop on that front.)
A Short, Ambiguous History — While there was no consensus in the existing Mac developer community as to whether Apple would ever fully open up the iPhone platform for third-party applications – a view reinforced by Apple’s early reluctance to make any commitment – Jobs did state at the D: All Things Digital conference in May 2007 that Apple was looking into how to allow other software “later this year.” Daring Fireball covered the early statements’ progression from a not-quite-yes but not-quite-no to “later this year.” (Note: This paragraph progressed in its drafts from me writing that Jobs first said “no” and then later
“absolutely” after I heard from some developers who pointed out it was more nuanced than that: Jobs and Apple were ambiguous and sometimes negative in January about third-party apps, and by May had changed their tune into a more positive, but not 100-percent affirmative message.)
At Apple’s Worldwide Developers Conference, we all freaked out briefly when it seemed like Jobs meant that the SDK would simply involve Web applications using AJAX, which would require a persistent Internet connection, and allow no two-way interaction with the underlying system beyond letting a Web page specify a phone number to call or map to display. (Wil Shipley of Delicious Monster wrote a great and slightly profane post on the matter in which he said no thanks to AJAX, but that he was willing to wait for Apple to build a real SDK, which he understood took some time.)
Jobs’s latest letter had a bit of the tone of, “Hey, you kids, get off my lawn! We still have to get rid of the gophers, re-sod the grass, and finish the main house before we let you on it in a few months, you little….” The statement emphasized the high level of risk for viruses and malware to spread among phones, and the widespread hallucination engaged in (or promoted by) the cell phone industry that such problems don’t already exist. Fair enough, although what he’s really saying is, “We’ve been too busy to work on the iPhone and Leopard at the same time; now we can focus on the iPhone again.”
Unmentioned in the letter was the issue of unlocking, although it’s a safe bet that Apple’s SDK won’t allow such behavior, and the cat-and-mouse game is undoubtedly still in play. In fact, it’s possible that Apple hopes to distract attention and resources from iPhone unlocking efforts by legitimizing third party application development. When no changes to the iPhone were allowed, developing a game for the iPhone was equally as “wrong” as unlocking the iPhone. Lumping the two types of hacking together may have encouraged people who wouldn’t think twice about installing a game to consider unlocking as well.
My prediction that Apple was nearing some kind of announcement must have stemmed from the company showing off or discussing with other parties the delay in the SDK and previewing what was to come. They must have spoken to a number of developers for me to have heard such a buzz last week, as Apple itself is so tight-lipped; none of what I was told came from inside Apple.
In talking about the virus risk and other issues, Jobs noted that Nokia had recently added digital signing to applications – the Symbian Signed program, after the dominant worldwide smartphone platform that Nokia is heavily invested in – that provides more certification and accountability for third-party software that runs on their mobile phones. He called that a “first step.” In my article on the SDK’s near-term announcement, I noted that there could be two levels of iPhone application certification requirements: a high level for access the cell data network, and a lower level for applications that run entirely locally or use only Wi-Fi for communication.
Why February? Apple slipped the Leopard ship date to October 2007 because the company needed to shift resources from Leopard to the iPhone in order to ship the device on time (see “Leopard Pushed to October 2007,” 2007-04-16). Apple has repeatedly noted that the iPhone runs Mac OS X, a fact confirmed by all the hackers and crackers who installed software, unlocked the phone, and developed exploits. (An automated way to crack a current iPhone through a flaw in TIFF image display code has been written up by one of the developers of Metasploit, a framework for running and analyzing massive sets of
attacks and inserting payloads. The TIFF flaw has been used to “jailbreak” the iPhone 1.1.1 software, and revert it to 1.0.2 software to restore functionality. Thanks to Rich Mogull for the Metasploit link.)
It appears, from what the hackers have discovered, that the iPhone currently runs a hybrid of Tiger and Leopard elements. As such, it makes no sense to release an SDK that uses at least parts of an operating system you’re about to deprecate in favor of a new one, especially one that has a better internal security model. In the original timing, perhaps Apple planned to ship Leopard, and have an iPhone version of Leopard ready to go for the iPhone launch in June 2007. I’ve heard nothing about that, but it might have been the case.
Here’s my view of the timeline: Leopard ships 26-Oct-07. Apple announces a new iPhone model (perhaps with 3G cell data support; see “3G Cell Data iPhone Now Feasible,” 2007-10-14) at Macworld Expo on 15-Jan-08. The new model ships along with an updated operating system that’s based entirely on Leopard; it’s made available to existing iPhone and iPod touch users as a software update by early February 2008. The iPhone SDK appears shortly thereafter.
In the meantime, it will be interesting to see what the iPhone hacking community does. I suspect they’ll continue to explore the innards of iPhone 1.1.1, both to bring back existing third party applications for the four months and to figure out how to unlock the iPhone again. The final reason hackers won’t just wait patiently until February? Because hacking the iPhone is a challenge.
Steve Jobs confirmed to the Wall Street Journal what Ars Technica reported earlier: iTunes Plus songs sold via the iTunes Store are now 99 cents, down from a typical $1.29. iTunes Plus songs are sold without digital rights management (DRM), which encrypts content for playback on specific devices in specific ways.
The impetus is likely the launch of the Amazon MP3 music store, which offers DRM-free music for 89 to 99 cents per track from both EMI, which Apple carries in DRM-free form, and Universal, which has declined to make such a deal with Apple (see “Amazon MP3 Takes on the iTunes Store,” 2007-09-25). Both stores include DRM-free music from many independent labels as well. iTunes Plus songs are encoded as 256 Kbps AAC files; Amazon’s music is all 256 Kbps MP3. iTunes has over 6 million songs; Amazon, over 2 million.
What’s not clear yet is whether it will still cost money to convert iTunes songs with DRM to iTunes Plus songs if the cost is the same; whether you’ll be refunded any previous upgrade fees for iTunes Plus (unlikely, in my view); and whether Apple will list iTunes songs with DRM alongside the same song without (also seemingly unlikely).
Apple has released Apple Remote Desktop Admin 3.2, adding compatibility with Mac OS X 10.5 Leopard and addressing a variety of bugs and minor usage issues that cause Apple to recommend the update to all users. In particular, reliability of Copy tasks has been improved; the Open Application task now works on Intel-based client Macs; resized Control/Observe windows now retain their dimensions; it’s now possible to type accented characters on European language keyboards; compatibility with third party VNC viewers and servers has been improved; screen sharing performance is improved over slower Internet connections; and overall performance has been improved with lists that
contain a large number of client computers. It’s available via Software Update or as a 34.6 MB download. Although I had no trouble controlling a client running version 3.1 of the Apple Remote Desktop client software, version 3.2 is also available as a 4.1 MB download. Realistically, though, there’s no reason to download it in most situations; you can instead select the client computer within Apple Remote Desktop Admin, and then choose Manage > Upgrade Client Software to update to the latest.
Startly Technologies has released a free update to the long-standing automation utility QuicKeys X3, adding a few features, fixing some bugs, tweaking the interface, and most notably, providing compatibility with Mac OS X 10.5 Leopard. With low-level utilities like QuicKeys, older versions often don’t work well across major updates to Mac OS X, so any QuicKeys users planning to upgrade to Leopard should install this update first. Other improvements in QuicKeys X3 3.2 include the capability to hide QuicKeys from the Dock on Intel-based Macs, support for the new Apple aluminum keyboards, timeouts in Wait actions, the
capability to run QuicKeys shortcuts from Automator, an option to display a more advanced or less advanced interface, and more. QuicKeys X3 3.2 requires Mac OS X 10.4 or later, and is a 12.3 MB download.
Everyone is familiar with basic PDF documents that show you onscreen the look of a document created in some other program. But some PDFs, such as our Take Control ebooks, go well beyond the basics to provide links out to Web-based resources and to other locations within each PDF. Our ebooks also contain the important Check for Updates link that gives readers access to minor update info and new versions, so I’ve learned over the years how people can have trouble following links due to confusion about how PDF-reading software works (and, arguably, poorly designed software; no one has problems clicking links in Safari).
So, if you’ve ever clicked a link and had nothing happen, been nagged incessantly by Adobe Reader, or just wished you could navigate back from an internal link via the keyboard, read on for three key link tips. There’s also a bonus tip at the end, if you’re annoyed that your Mac forces you to use Adobe Reader instead of Preview for double-clicked PDFs, or vice-versa.
In all cases, these tips apply to the version of Preview that comes with Mac OS X 10.4 Tiger, Adobe Reader 8, and Adobe Acrobat Professional 8. Older versions of Adobe’s programs work similarly, but may differ slightly in the menu locations and command names.
Tip #1: Use the Right Tool — In PDF-reading software, if you click a link, but don’t have the right tool selected, the link won’t work. This is like trying to draw a square in a drawing program with a move-object tool selected – the program simply won’t let draw you a square, though it will let you move one.
So, if you are using Apple’s Preview, make sure the toolbar is showing (View > Toolbar) and then notice the Tool Mode set of buttons at the right. To be able to click a link and have it work, select either of the tools on the left of that set, the Scroll tool or the Text tool. You can also choose Tools > Scroll Tool (Command-1) or Tools > Text Tool (Command-2).
In Preview, users frequently end up with the wrong tool selected, but it seems to be less common in Adobe Reader and Acrobat Professional. However, if it happens to you in either of these programs, select the Hand tool, which looks like a waving hand. The Hand tool lives in the Select & Zoom toolbar. To view that toolbar, choose View > Toolbars > Select & Zoom. If the Hand tool is missing from the toolbar, choose Tools > Customize Toolbars, scroll down a bit to find the Select & Zoom Toolbar category, check the box for the Hand tool, and click OK. You can also just choose Tools > Select & Zoom > Hand Tool. Once the Hand tool is selected, you should be able to click links.
Tip #2: Make Acrobat Less Suspicious — Just being able to click links in Adobe Reader or Acrobat Professional may not be sufficient. Both programs may throw an alert dialog at you every time you click a Web link, giving you the destination URL and saying something along the lines of “If you trust the site, choose Allow. If you do not trust the site, choose Block.”
Speaking as the mother of an eight-year-old, hearing the same question over and over again drives me absolutely batty. If your tolerance for mindless repetition isn’t any higher than mine, the good news is that you can turn this annoying alert off. From the application menu, choose Preferences and select the Trust Manager category. Click the Change Settings button in the middle of the screen. Select “Allow all web sites” and click OK.
If you’re having the constant query problem with your small child, my apologies, but I haven’t been able to find the appropriate option to disable the questions.
Tip #3: Use Keyboard Shortcuts — For links that are internal to a PDF – that is, links that take you to another page within the same PDF – you may wish to follow a link, but then quickly return to where you were. Simply press Command-[ if you are in Preview, or Command-Left arrow if you are in Adobe Reader or Acrobat Professional. Wire these shortcuts into your nervous system and you can hop back and forth between sections with ease without straining your brain.
Bonus Tip — That’s it for my tips about links, but here’s one more PDF-related trick that you might find useful for PDFs on your hard disk. Maybe you prefer Preview to Adobe Reader because it launches faster and renders PDFs better on the screen, or perhaps you like Adobe Reader better because it handles complex PDFs with movies and sound better. Whatever your preference, you can change which PDF reader opens your PDFs by default. To make the switch, in the Finder, select a PDF and press Command-I to open the Get Info window. Click the Open With triangle to open that panel if necessary, choose your favorite PDF-reading software from the pop-up menu, and then click Change All.
As Adam and numerous other Mac pundits speculated last week (see “Leopard Slated for October 26th?,” 2007-10-04), Apple has announced that it will indeed ship Mac OS X 10.5 Leopard on Friday, 26-Oct-07. The online Apple Store now accepts Leopard pre-orders, with an estimated delivery date of 26-Oct-07. As was the case with the Tiger and Panther releases, Leopard will go on sale at Apple Stores at 6:00 PM local time.
The cost will be, as usual, $129 for a single-user license or $199 for a five-user family pack, although lower prices are available from resellers like Amazon.com and Small Dog Electronics. Some Macs that are delivered on or after October 26th will either have Leopard installed or include a Leopard installer disc, Apple said. Anyone who purchased a new Mac on or after 01-Oct-07 is eligible for the Mac OS Up-to-Date package, which provides a copy of Leopard for a shipping and handling fee of $9.95. For those of us with older machines, Leopard requires a Mac with at least an 867 MHz PowerPC
G4, or any PowerPC G5 or Intel processor, and at least 512 MB of RAM (but we always recommend more RAM than that).
In a briefing with Apple, Glenn clarified the policies around how the Boot Camp beta for Tiger will continue to work after Leopard is released. Brian Croll, Apple’s senior director of Mac OS X product marketing, said that there’s a distinction between the Boot Camp Assistant, the software that sets up an appropriate partition and handles the Windows operating system installation, and the partition that’s been created with that software.
The Boot Camp Assistant beta release for Tiger will stop working after 31-Dec-07, Croll said. However, any partition created with the beta will continue to work indefinitely. And those partitions can be managed by Leopard’s Boot Camp Assistant software.
Apple also announced that Mac OS X Server 10.5 Leopard will go on sale on 26-Oct-07 too, at the same time as the desktop version of the operating system. As with previous versions, a 10-client edition of Leopard Server costs $499 and an unlimited-client version costs $999. Those who purchased a qualifying Xserve after 01-Oct-07 are eligible for the $9.95 Mac OS Up-to-Date package. Leopard Server has the same processor requirements as the desktop version, but also requires at least 1 GB of RAM and 20 GB of free disk space.
This is the first release of Mac OS X that’s not available in any form on CD, as all consumer-class computers that are capable of running Leopard also have at least a Combo Drive (DVD reading plus CD writing). Some Xserve models can run Mac OS X Server 10.5 but have only a CD-ROM drive; for such machines, you can perform a network installation using another computer running Leopard Server, or put the computer into Target Disk Mode and install Leopard Server from another computer that has a DVD reader.
Joe has already put these system requirements into his “Take Control of Upgrading to Leopard: Early Bird Edition” ebook, which you can purchase now to start preparing for your upgrade to Leopard. Early-bird buyers get a free upgrade on October 26th to the full release edition of the book. (Glenn’s “Take Control of Sharing Files in Leopard” will come on the heels of the release; you can pre-order it and three other Take Control titles for Leopard now – Users & Accounts, Customizing, and Fonts – or pre-order all five at a discount.)
Before we go any further, may I say that I’ve been giving the Big Cat nomenclature problem some serious thought – Jaguar, Tiger, Leopard, how long can this go on? Well, I’ve discovered that there are a whole bunch of African feline species I’d never even heard of, such as the Caracal and the Serval. So at the current rate of development, this should carry Apple forward for at least another decade – by which time, if present trends are any indication, further species will have been discovered (or they’ll all be extinct, one or the other).
Okay, to business. Apple has finally locked down the ship date for Leopard (just as Adam predicted in “It’s Official: Leopard Ships on October 26th, 2007,” 2007-10-16), and posted its list of over 300 new features. Now, I’m still under a non-disclosure agreement that says I can’t talk about anything Apple hasn’t told you. But since Apple has told you about the 300 features, I can talk about them. I can’t add any new information, of course; but I can tell you how I feel about them (Apple doesn’t own my feelings, as far as I can tell). Here, then, are my favorite (and least favorite) new Leopard features.
Let me start with the bad news – what I don’t like. There is just one thing, really, but it’s quite a big thing, namely: the Desktop’s new look.
It’s like the emperor’s new clothes. A menu bar that’s hard to read because what’s behind it shows through? Why is that a good idea? And stacks in the Dock are a solution in search of a non-existent problem; the way folders behave in the Dock now (just click and the folder opens, click and hold to see a hierarchical menu of the folder’s contents) is great and doesn’t deserve to change. Not to mention the whole distracting silly way the Dock is now being drawn. I already dislike the Dock and do all I can to keep it hidden all the time; in Leopard, I’ll have twice as much reason to do so. The new Finder window sidebar is awful too; you can see in Apple’s own screen shot that the icons and text are tiny and all the colors are converging on
Now that I’ve got that off my chest, here are the new features I like the most. I’m not saying there aren’t other cool new features, especially within individual Apple applications; but these are the features to which I truly look forward, the ones that actually make me eager to start using Leopard:
- Spaces. It’s fun. It’s easy. It works. I’m going to use it! Spaces will genuinely help me handle the clutter when I’m working in multiple applications with lots of windows open. Unfortunately, Apple’s Web page on the topic doesn’t do it justice – and I can’t describe it for you, because I can’t say anything they don’t say.
- Time Machine. Okay, maybe it’s not as powerful as whatever super-snazzy network-based case-hardened backup system you’re using at the office. But Time Machine is a great idea: simple, automatic backup that takes away all excuse for not being able to find some file you threw away two hours ago, or for not having an extra copy when something goes wrong. Even more important, if I screw things up really badly, I can restore the whole computer to a previously saved state. It really is a time machine! I can already feel my hair returning.
- The Path Bar. It shows you where you are in the Finder, at any given moment. Simple, elegant, obvious, and we should have had this years ago. Yes, I know you can Command-click the title bar to get the same information; but my mom, and a lot of other users, do not know this.
- Quick Look and Cover Flow. Together, these offer file previews on steroids. They’re utterly silly (“waste cycles drawing trendy animated junk” was my first thought) until you need them, and then they are just terrific. Being able to flip through a bunch of music or photo files looking for the right one, right in the Finder without starting up any other application, is really great.
- Spotlight, Spotlight everywhere. Unfortunately, Apple doesn’t mention what I think is the most important change to Spotlight, so I’m not allowed to tell you what it is. Suffice it to say that previously I didn’t like Spotlight very much, and now I do, so obviously they must have changed the thing about it that I didn’t like, right? Plus, I will now be able to search the past! With Safari, I can search for Web pages I’ve viewed, using whatever text within those pages I happen to remember. With Time Machine, I can search for files that no longer exist. Now if I can just find that $20 bill I had a week ago.
- Share and share alike. The new easy built-in screen sharing, and the new easy way of sharing specific folders, are going to be a boon for me in my ordinary home-networked, multi-computer environment. I also look forward to being able to view someone’s desktop through iChat. Plus there’s now a built-in Guest account that’s automatically purged when the user logs out, making it safe and easy for me to share my computer as well.
- Mail turns into a powerhouse. RSS, to-do items, and miscellaneous notes are now incorporated right into Mail. No need to switch to iPhoto to find a picture and add it to a message. Easy mailbox archiving. I’ve switched mail clients several times in the past, and these improvements might be enough to get me to switch once again – to Apple’s own Mail application.
- Improvements to AppleScript, Automator, and Xcode. Okay, these are totally nerdy, and they won’t matter one whit to you if you’re not a programmer at some level. But as you probably know, I wrote a book about AppleScript, with some mention of Automator and Xcode; and I’ve done some work with Xcode and Objective-C, such as my popular free utilities NotLight and MemoryStick. So, Nerds ‘R Us! A truly Unicode-savvy AppleScript will end a text-handling nightmare that’s been with us since the dawn of Mac OS X. Automator’s new “Watch Me Do”
feature is like making your mouse-clicks recordable. And there are lots of other toys, such as improved design, editing, debugging, and analysis tools, that will make any Xcode developer drool.
In just a few days all these improvements will be mine. (Rubs hands with evident glee.) Oh, and did I mention that instructions on using some of these features (and more) will be in my forthcoming “Take Control of Customizing Leopard” ebook? You can’t have a copy yet, since Apple would have my head for revealing cool stuff ahead of time, but you can pre-order it now (and then download the full version as soon as Leopard becomes available).
With the release last week of the feature list for Mac OS X 10.5 Leopard, the security world is buzzing about some extremely important updates that should, if they work as expected, significantly improve Mac security and will make me less nervous about connecting to wireless networks in Internet cafes.
Time Machine — Before we dig into Leopard’s advanced anti-exploitation technologies, we need to start with the biggest security feature that’s not listed with the rest: Time Machine. Information security is based on the principles of CIA. No, not the Central Intelligence Agency or the Culinary Institute of America. In the security world, CIA stands for Confidentiality, Integrity, and Availability. While we tend to focus on keeping people from seeing things we don’t want them to see (confidentiality) and changing things we don’t want changed (integrity), having our data and systems available to us is just as important.
With Time Machine making it easier to back up for all users, especially individuals not already protected by some corporate backup system, Apple is doing more to improve security than any upgrades to firewalls or Safari ever could. If you want to improve your security, I highly recommend you get an external hard drive with your copy of Leopard (Adam tells me that “Take Control of Customizing Leopard” will offer basic help for Time Machine, and a future edition of “Take Control of Mac OS X Backups” will provide even more detail). My backups have saved me three times already this year, and I’m excited
that I can finally make backups more accessible to my mother and sister.
Stopping Buffer Overflows — The most significant security update in Leopard is one that you’ll never notice, but that will cause the bad guys no end of frustration. It’s an anti-exploitation technology Apple calls Library Randomization (also known generically as Memory Randomization and as Address Space Layout Randomization in Windows Vista). To understand Library Randomization we need to take talk about vulnerabilities, exploits, and buffer overflows.
Buffer overflows are the class of vulnerability that are responsible for most of the successful attacks on computers today. Most malicious programs (worms and viruses) rely on buffer overflows to take control of your system. In security, we define a vulnerability as a flaw or defect that could allow someone to violate confidentiality, integrity, or availability. Think of it as a weak lock or a broken window the bad guy can use to get in. Buffer overflows are a vulnerability where an attack enters more data into an input than expected; if the programmer who wrote the software forgot to limit that input field, the data can flow past the expected limit and overwrite other parts of memory. Since memory on most of our computers is just a big
stack of commands mixed with data, if you know exactly how much extra data to put in, you can trick the computer into running an arbitrary command by overwriting a spot where it expects a legitimate instruction with your new instruction.
You might be asking yourself why programmers don’t just cap any program input to prevent buffer overflows. Why not just limit all those fields so this can’t happen? I often ask myself the same question, but modern computing systems are so complex, with so much reused code, that it isn’t that simple. For example, the iPhone 1.1.1 software was cracked because it used some common code (the libtiff library) for reading TIFF image files. That code had a buffer overflow vulnerability in it, allowing hackers to create special TIFF files that let them take over the iPhone. This is what we call an exploit – when you can take advantage of a vulnerability and actually do
something with it.
As an aside, buffer overflows first appeared around 1988 and were used in the very first Internet worm – the Morris worm. In 1996 an exceptional paper was published detailing how to exploit buffer overflows.
This is where Library Randomization comes in. Pushing those bad commands onto the stack is more complex than saying, “Open sesame!”. The attacker is attempting to subvert the guts of the operating system and has to play around with memory directly and point to different instructions in different parts of memory to get the computer to fail in a useful way. Until recently, most operating systems stored their own internal commands in known, static locations in memory. Thus the attacker could just point to those commands with his malicious instructions, and use the tools of the operating system itself to take over. Library Randomization randomly distributes those commands throughout memory every time the operating system loads. Thus, even
if an attacker finds a buffer overflow vulnerability and pushes his commands onto your system, it’s extremely difficult for him to turn that into a working exploit.
That’s why we call Library Randomization an anti-exploitation technology – even when the bad guys find vulnerabilities (and they will) it will be much harder for them to exploit your system. This is a big move, since instead of relying on programmers to write perfect code, Apple – following the lead of Microsoft and some Unix/Linux variants – is hardening the operating system to make exploitation itself more difficult. Apple actually started down this road with Mac OS X 10.4.7 when they enabled Data Execution Protection, a feature available on some processors to let programmers mark memory locations as data only, limiting the ability of an attacker to push a command in.
I’m sure security researchers will eventually figure out a way around it, but early signs from other operating systems indicate that Library Randomization is a serious obstacle for an entire class of attacks. I’ve spent a lot of time on Library Randomization because, following Time Machine, it’s probably the most significant security update in Leopard, but those two are far from the only improvements.
Identifying and Defanging Evil Apps — As firewalls become more ubiquitous it’s becoming harder for bad guys to attack computers directly over the network. Many are switching over to what we call client-side exploits – getting malicious code onto your system via malicious email, Web pages, and file downloads. While Apple can’t prevent people from downloading dangerous stuff, Leopard has a new feature to tag downloaded applications as coming off the Internet.
The first time you run a downloaded application, your Mac will ask you to approve it and tell you when it was downloaded, what application downloaded it, and where it came from. This is another great feature that should help limit malicious software from downloading and executing programs without your knowledge. The one potential weakness I see is this warning could be used to trick you into visiting a malicious Web site, and I hope Apple is taking that into account.
Apple has also added application signing. Apple, and any developer that wants to participate, can affix a digital signature to their applications. Digital signatures are valuable because they certify both where an application came from and, more importantly, that it hasn’t been modified. If a bad guy tries to subvert a signed application on your system, the modified application will no longer match its signature, and Mac OS X won’t allow it to launch.
Leopard’s next important feature is “sandboxing.” Sandboxing is a technique of restricting specific applications so they can’t perform certain kinds of actions, like limiting the files they can touch, the other applications with which they can communicate, or what they can do on the network. Some applications will always be at a higher risk than others for compromise, and sandboxing helps prevent those applications from being used to take over other parts of your system. The Leopard Web site lists Bonjour, Spotlight, and Quick Look as being sandboxed. This is interesting because those are all services that look at arbitrary files or network packets, making them more vulnerable to a popular type of attack called fuzzing, where the
attacker plays with input (like files and network packets) using automatic tools, looking for a data stream that will choke the recipient service. The infamous Wi-Fi hack (see the TidBITS series “To the Maynor Born: Cache and Crash“) was discovered using fuzzing, as were most of the bugs in the Month of Apple Bugs (see “MoAB Is My Washpot,” 2007-02-19). I’ll be curious to see the entire list of sandboxed applications, and if Safari and QuickTime are included since they are also exposed to this type of attack.
Other Notable Improvements — While perhaps not as significant as the updates we’ve already talked about, Leopard also includes a bunch of other security improvements. The Mac OS X firewall, based on the open source ipfw program, has been improved and now includes the capability to block network access to individual applications. I’ve heard rumors that Apple’s default firewall rules are no longer user accessible, which would be a major step backwards, but letting the firewall control individual applications is a long-desired feature for us security geeks.
The Keychain has been enhanced to manage multiple user certificates for email encryption and digital signatures better, which will be welcome for those of us with multiple email accounts. Encrypted disk images now use 256-bit keys instead of 128-bit keys (much more than twice as strong), and although I don’t know anyone who can break a 128-bit key, thanks to the way AES functions, performance should be essentially unaffected.
A few changes help improve compatibility for those of us using Macs in corporate environments. Native VPN support has been updated, and Windows SMB packet signing is now available, to provide compatibility with encrypting Windows file servers. Apple also enhanced file sharing with more granular access control lists, enabling more control over who can access your shared files. (Glenn Fleishman’s “Take Control of Sharing Files in Leopard” has all the details there.) While useful in any environment, I suspect some of these improvements were added to help with sharing in corporate environments and to complement the access controls in Windows environments.
Apple hid a few security features in other parts of the Leopard. One I’m really looking forward to is the guest account that purges itself entirely after the guest user logs out (for details, check out Kirk McElhearn’s “Take Control of Users & Accounts in Leopard“). While I don’t let many people touch my MacBook Pro, there are occasions when I want to allow temporary access so someone can copy a file from me, check email or look something up online. A temporary guest account is a great way to enable this safely and without leaving even a trace on my Mac afterwards.
We’ll also now get to see the encryption status of wireless networks right from the menu bar, so you can avoid even bothering to connect to protected networks. Those of you with kids gain improved parental controls that include Web filters, activity monitoring, and even a built-in filter for Wikipedia. Finally, with the inclusion of DTrace and a new instrumentation interface, we security geeks can really dig into the system internals and see what’s going on. I expect to see more than a few security tools that take advantage of this capability.
One open question I’ll be checking the moment my copy of Leopard arrives is whether Input Managers are still part of Leopard. Input Managers are a valuable feature to enhance applications, but they are also unfortunately a serious security risk (see Matt Neuburg’s discussion of this in “Are Input Managers the Work of the Devil?,” 2006-02-20). Apple has hinted that Input Managers might be restricted in Leopard, and despite the cries from some in the development community, I believe Input Managers need to be changed to improve our security or eliminated altogether.
Overall, Mac OS X 10.5 Leopard is perhaps the most significant update in the history of Mac OS X – perhaps in the history of Apple – from a security standpoint. It marks a shift from basing Macintosh security on hard outside walls to building more resiliency and survivability into the core operating system. We still need to see how these features hold up once security researchers get their hands on them, but the security future looks promising and I’ll sleep better at night knowing my mother can still safely bank online.
[Rich Mogull currently works as an independent security consultant and writer through Securosis.com after having spent seven years as an analyst with Gartner.]
[With the word on the Web being that Mac OS X 10.5 Leopard doesn’t support the Classic environment, we asked Sharon Zardetto, author of three Take Control titles about fonts, including the soon-to-be-released “Take Control of Fonts in Leopard,” to give TidBITS readers the low-down on how to make sure old font suitcases from Classic are successfully packed for their trip to the future with Leopard. -Tonya]
If you’re planning to upgrade to Leopard but are still hanging on to the Classic environment, it’s probably time to let go: reports indicate that Leopard won’t let you run it, even on a PowerPC-based Mac (Intel-based Macs can’t run Classic even under Tiger). But before you go bravely out into the Leopard world, take stock of your fonts – because if you have old ones hanging around, this could be your last chance to straighten out your font suitcase files for free, using Apple’s ancient Font/DA Mover utility, which you can still run under Classic.
Two types of font files that predate Mac OS X are still totally useable, but possibly prone to problems: Mac TrueType suitcases and PostScript Type 1 suitcase files (the “screen font” companion files to the “printer font” files). Both of these suitcase-type files have icons that are stamped FFIL and are identified as “Font Suitcase” as their Kind in the Finder.
These elderly font files might have inherent internal problems (for the most part, those can be identified, although not fixed, by Font Book’s automatic validation process), but the problems I’m referring to here are user-introduced ones.
- Limited to a single type of font. An older suitcase might contain both Mac TrueType and older bitmapped fonts; you should have the TrueType fonts alone in one suitcase, and the bitmapped fonts alone in another if they’re serving as the companions for PostScript Type 1 fonts.
- Confined to a single font family, but with all its faces. Wolfson, Wolfson Bold, Wolfson Italic, and Wolfson Bold Italic all go in one suitcase; Wolfson Gothic is a different family and goes in a different suitcase file.
- Named for the font family within. Don’t succumb to “MyFavorites” because that’s just not helpful, even if your taste won’t ever change.
In addition, although pre-Mac OS X systems allowed “loose,” non-suitcased font files (a single TrueType face, for instance), Mac OS X can’t use that kind of file, and it must be put into a suitcase.
If you remember the ease with which you could manipulate fonts and suitcases under Mac OS 9, you’ll be disappointed that you can’t do that under Classic – because Classic isn’t really an operating system, it just pretends to be under pre-Leopard systems. But what you can do is download Font/DA Mover 4.1, last updated for System 6 (no, that’s not a typo!) and run that under Classic to clean up your old suitcase files.
Sometimes you just have to go back before you can go forward.
If You Don’t Have Classic Already — If you don’t have the option of working under Classic, you needn’t scrap your old suitcase files. Two utilities that run under Tiger – Smasher ($50) and FontDoctor ($70) – let you manipulate suitcases, and they will, presumably, be updated for Leopard. Both are quite pricey if all you need to do is shuffle suitcase contents. FontDoctor, which is available as a standalone program or with the font manager Suitcase Fusion ($100), also fixes corrupt font
If you’re excited about Mac OS X 10.5 Leopard, now scheduled for release on 26-Oct-07, make sure you’re ready to upgrade with the early-bird edition of “Take Control of Upgrading to Leopard.” This 60-page ebook not only walks you through the prep steps that help guarantee a trouble-free Leopard installation, it also comes with a free, instant-download upgrade to the 124-page full edition of the ebook, which will offer detailed advice on every aspect of installation, based on countless hours of meticulous research by Joe Kissell. In particular, the early-bird edition helps you evaluate if your current Mac will run Leopard well, how to make an appropriate
backup in case of installation problems, smart ways to clear disk clutter and unnecessary files, and whether you should rethink your partitioning scheme. The full version will be available as soon as Apple begins shipping Leopard; see the FAQ at the link above for details.
But there’s more! You can save 25 percent if you pre-order “Take Control of Customizing Leopard” along with buying the early-bird edition of “Take Control of Upgrading to Leopard.” In this title, Matt Neuburg helps you customize your new installation, with a special emphasis on new tweaks to old features and on helping you start using new features, such as Spaces and Time Machine. We can’t say much about Leopard until our non-disclosure agreement is lifted, but we plan to make the full ebook available to those who pre-order via our Check for Updates mechanism as soon as Apple begins selling Leopard.
For those of you who want to learn all about Leopard, we recommend our “I Love Leopard” bundle, which saves you 30 percent and includes the above-mentioned two titles; it also includes three more “Take Control of… in Leopard” pre-release titles: Sharing Files, Fonts, and Users & Accounts. We expect to ship these three additional titles at the same time as (or very shortly after) Leopard’s release. You’ll find the “I Love Leopard” bundle on the left side of both the “Upgrading” and the “Customizing” Web pages.
Owners of previous “Take Control of Upgrading to…” and “Take Control of Customizing…” ebooks can take advantage of a discounted price on these titles; click the Check for Updates button in your ebook to access the offer, or send us email if your ebook is too old to have a Check for Updates button. However, note that buying either of our bundles gives you a better discount than upgrading each title individually.
.Mac Renewal Requires Unnecessary Credit Card Entry — Adam found that his .Mac renewal required a credit card number, but others have been able to renew without that step. (2 messages)
What’s special about hybrid hard drives? Last week’s article about new Seagate hybrid hard drives being incompatible with Macs brings up the question: what’s the big deal? The drives include extra flash memory, but why not just use the Mac’s RAM? (4 messages)
3G Cell Data iPhone Now Feasible — The technology to add 3G data networking to the iPhone exists, but is it far enough along to be incorporated into the next versions of the iPhone? (3 messages)
New Language Features in Leopard — The list of new features in Mac OS X 10.5 look promising for those hoping for broader language support in the operating system. (2 messages)
It’s Official: Leopard Ships on October 26th, 2007 — With news of Leopard’s ship date, readers talk about the particulars of the 5-license Family Pack and a smaller educational discount than previous versions. (9 messages)
The Best (and Worst) of Leopard — Matt Neuburg’s article about new Leopard features brings up questions of specific feature improvements, as well as discussion of system performance. (7 messages)
recommendation: fulfillment service for $1-5 digital downloads? Do such companies exist, or are major players such as PayPal and Google (and Yahoo and eSellerate and Kagi and…) still the best options? (5 messages)
French in Leopard — Is French (and other languages) getting reduced support in Leopard, despite the increase in other language-related features? (4 messages)
Appleworks Crashes… — There will come a point when discontinued software ceases to work. But we’re not quite there yet. (4 messages)
Apple Goes with Orange — The lack of specific pricing data from Orange and Apple regarding the introduction of the iPhone in France is – how do you say it? – unfortunate. (6 messages)
How do time zones affect Take Control of Leopard books? Mac OS X 10.5 is due to be released at 6:00 PM “local time” on Friday, which is when the Leopard Take Control titles will also be released. But how is that related to time zones around the world? (1 message)
Apple Cuts iTunes Plus Price to 99 Cents — Apple cut the iTunes Plus price not only throughout the iTunes Store in the United States, but also in international iTunes Stores. (2 messages)
ODF from Apple? With AppleWorks now at the end of its life, users may be left with thousands of files in the AppleWorks formats. Would Apple consider adopting the OpenDoc format for compatibility? (1 message)