2007年06月12日
2007年06月8日
Boot Camp 1.3 beta
Changes in Boot Camp 1.3 beta
Boot Camp 1.3 beta contains several updates and is intended for all new and previous Boot Camp beta users.
Boot Camp 1.3 beta includes:
Support for keyboard backlighting (MacBook Pro only)
Apple Remote pairing
Updated graphics drivers
Improved Boot Camp driver installer
Improved international keyboard support
Localization fixes
Updated Windows Help for Boot Camp
Boot Camp 1.3 beta contains several updates and is intended for all new and previous Boot Camp beta users.
Boot Camp 1.3 beta includes:
Support for keyboard backlighting (MacBook Pro only)
Apple Remote pairing
Updated graphics drivers
Improved Boot Camp driver installer
Improved international keyboard support
Localization fixes
Updated Windows Help for Boot Camp
2007年05月25日
Apple Security Update 2007-005
Security Update 2007-005
Alias Manager
CVE-ID: CVE-2007-0740
Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS X v10.4.9, Mac OS X Server v10.4.9
Impact: Users may be misled into opening a substituted file
Description: In certain circumstances, an implementation issue in Alias Manager will not show identically-named files contained in identically-named mounted disk images. By enticing a user to mount two identically-named disk images, an attacker could mislead the user into opening a malicious program. This update addresses the issue by performing additional validation of mountpaths. Credit to Greg Bolsinga of Blurb, Inc. for reporting this issue.
BIND
CVE-ID: CVE-2007-0493, CVE-2007-0494, CVE-2006-4095, CVE-2006-4096
Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS X v10.4.9, Mac OS X Server v10.4.9
Impact: Multiple vulnerabilities in BIND, the most serious of which is remote denial of service
Description: BIND is updated to version 9.3.4. Further information is available via the ISC web site at http://www.isc.org/index.pl?/sw/bind/
CoreGraphics
CVE-ID: CVE-2007-0750
Available for: Mac OS X v10.4.9, Mac OS X Server v10.4.9
Impact: Opening a maliciously crafted PDF file may lead to an unexpected application termination or arbitrary code execution
Description: An integer overflow vulnerability exists in the handling of PDF files. By enticing a user to open a maliciously crafted PDF file, an attacker could trigger the overflow which may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue by performing additional validation of PDF files. This issue does not affect systems prior to Mac OS X v10.4.
crontabs
CVE-ID: CVE-2007-0751
Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS X v10.4.9, Mac OS X Server v10.4.9
Impact: The daily /tmp cleanup script may lead to a denial of service
Description: Filesystems mounted in the /tmp directory may be deleted when the daily cleanup script is executed, which may lead to a denial of service. This update addresses the issues by updating the daily cleanup script to prevent find commands from descending into mounted filesystems.
fetchmail
CVE-ID: CVE-2007-1558
Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS X v10.4.9, Mac OS X Server v10.4.9
Impact: fetchmail password disclosure may be possible
Description: fetchmail is updated to version 6.3.8 to address a cryptographic weakness that could lead to the disclosure of fetchmail passwords. Further information is available via the fetchmail web site at http://fetchmail.berlios.de/fetchmail-SA-2007-01.txt
file
CVE-ID: CVE-2007-1536
Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS X v10.4.9, Mac OS X Server v10.4.9
Impact: Running the file command on a maliciously crafted file may lead to an unexpected application termination or arbitrary code execution
Description: A heap buffer overflow vulnerability exists in the file command line tool, which may lead to an unexpected application termination or arbitrary code execution. This update addresses by performing additional validation of files that are passed to the file command.
iChat
CVE-ID: CVE-2007-2390
Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS X v10.4.9, Mac OS X Server v10.4.9
Impact: An attacker on the local network may be able to cause a denial of service or arbitrary code execution
Description: A buffer overflow vulnerability exists in the UPnP IGD (Internet Gateway Device Standardized Device Control Protocol) code used to create Port Mappings on home NAT gateways in iChat. By sending a maliciously crafted packet, an attacker on the local network can trigger the overflow which may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue by performing additional validation when processing UPnP protocol packets in iChat.
mDNSResponder
CVE-ID: CVE-2007-2386
Available for: Mac OS X v10.4.9, Mac OS X Server v10.4.9
Impact: An attacker on the local network may be able to cause a denial of service or arbitrary code execution
Description: A buffer overflow vulnerability exists in the UPnP IGD (Internet Gateway Device Standardized Device Control Protocol) code used to create Port Mappings on home NAT gateways in the OS X mDNSResponder implementation. By sending a maliciously crafted packet, an attacker on the local network can trigger the overflow which may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue by performing additional validation when processing UPnP protocol packets. This issue does not affect systems prior to Mac OS X v10.4. Credit to Michael Lynn of Juniper Networks for reporting this issue.
PPP
CVE-ID: CVE-2007-0752
Available for: Mac OS X v10.4.9, Mac OS X Server v10.4.9
Impact: A local user may obtain system privileges
Description: An implementation issue exists in the PPP daemon when loading plugins via the command line, which allows a local user to obtain system privileges. This update addresses the issue through validation of user privileges. This issue does not affect systems prior to Mac OS X v10.4. Credit to an anonymous researcher working with the iDefense VCP for reporting this issue.
ruby
CVE-ID: CVE-2006-5467, CVE-2006-6303
Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS X v10.4.9, Mac OS X Server v10.4.9
Impact: Denial of service vulnerabilities in the Ruby CGI library
Description: Multiple denial of service issues exist in the Ruby CGI library. By sending maliciously crafted HTTP requests to a web application using cgi.rb, an attacker could trigger an issue which may lead to a denial of service. This update addresses the issues by applying the Ruby patches.
screen
CVE-ID: CVE-2006-4573
Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS X v10.4.9, Mac OS X Server v10.4.9
Impact: Multiple denial of service vulnerabilities in GNU Screen
Description: The screen command line tool is updated to address multiple denial of service vulnerabilities. Further information is available via the GNU web site at http://lists.gnu.org/archive/html/screen-users/2006-10/msg00028.html
texinfo
CVE-ID: CVE-2005-3011
Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS X v10.4.9, Mac OS X Server v10.4.9
Impact: A vulnerability in texinfo may allow arbitrary files to be overwritten
Description: A file handling issue exists in texinfo, which may allow a local user to create or overwrite files with the privileges of the user running texinfo. This update addresses the issue through improved handling of temporary files.
VPN
CVE-ID: CVE-2007-0753
Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS X v10.4.9, Mac OS X Server v10.4.9
Impact: A local user may obtain system privileges
Description: A format string vulnerability exists in vpnd. By running the vpnd command with maliciously crafted arguments, a local user can trigger the vulnerability which may lead to arbitrary code execution with system privileges. This update addresses the issue by performing additional validation of the arguments passed to vpnd. Credit to Chris Anley of NGSSoftware for reporting this issue.
Alias Manager
CVE-ID: CVE-2007-0740
Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS X v10.4.9, Mac OS X Server v10.4.9
Impact: Users may be misled into opening a substituted file
Description: In certain circumstances, an implementation issue in Alias Manager will not show identically-named files contained in identically-named mounted disk images. By enticing a user to mount two identically-named disk images, an attacker could mislead the user into opening a malicious program. This update addresses the issue by performing additional validation of mountpaths. Credit to Greg Bolsinga of Blurb, Inc. for reporting this issue.
BIND
CVE-ID: CVE-2007-0493, CVE-2007-0494, CVE-2006-4095, CVE-2006-4096
Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS X v10.4.9, Mac OS X Server v10.4.9
Impact: Multiple vulnerabilities in BIND, the most serious of which is remote denial of service
Description: BIND is updated to version 9.3.4. Further information is available via the ISC web site at http://www.isc.org/index.pl?/sw/bind/
CoreGraphics
CVE-ID: CVE-2007-0750
Available for: Mac OS X v10.4.9, Mac OS X Server v10.4.9
Impact: Opening a maliciously crafted PDF file may lead to an unexpected application termination or arbitrary code execution
Description: An integer overflow vulnerability exists in the handling of PDF files. By enticing a user to open a maliciously crafted PDF file, an attacker could trigger the overflow which may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue by performing additional validation of PDF files. This issue does not affect systems prior to Mac OS X v10.4.
crontabs
CVE-ID: CVE-2007-0751
Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS X v10.4.9, Mac OS X Server v10.4.9
Impact: The daily /tmp cleanup script may lead to a denial of service
Description: Filesystems mounted in the /tmp directory may be deleted when the daily cleanup script is executed, which may lead to a denial of service. This update addresses the issues by updating the daily cleanup script to prevent find commands from descending into mounted filesystems.
fetchmail
CVE-ID: CVE-2007-1558
Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS X v10.4.9, Mac OS X Server v10.4.9
Impact: fetchmail password disclosure may be possible
Description: fetchmail is updated to version 6.3.8 to address a cryptographic weakness that could lead to the disclosure of fetchmail passwords. Further information is available via the fetchmail web site at http://fetchmail.berlios.de/fetchmail-SA-2007-01.txt
file
CVE-ID: CVE-2007-1536
Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS X v10.4.9, Mac OS X Server v10.4.9
Impact: Running the file command on a maliciously crafted file may lead to an unexpected application termination or arbitrary code execution
Description: A heap buffer overflow vulnerability exists in the file command line tool, which may lead to an unexpected application termination or arbitrary code execution. This update addresses by performing additional validation of files that are passed to the file command.
iChat
CVE-ID: CVE-2007-2390
Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS X v10.4.9, Mac OS X Server v10.4.9
Impact: An attacker on the local network may be able to cause a denial of service or arbitrary code execution
Description: A buffer overflow vulnerability exists in the UPnP IGD (Internet Gateway Device Standardized Device Control Protocol) code used to create Port Mappings on home NAT gateways in iChat. By sending a maliciously crafted packet, an attacker on the local network can trigger the overflow which may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue by performing additional validation when processing UPnP protocol packets in iChat.
mDNSResponder
CVE-ID: CVE-2007-2386
Available for: Mac OS X v10.4.9, Mac OS X Server v10.4.9
Impact: An attacker on the local network may be able to cause a denial of service or arbitrary code execution
Description: A buffer overflow vulnerability exists in the UPnP IGD (Internet Gateway Device Standardized Device Control Protocol) code used to create Port Mappings on home NAT gateways in the OS X mDNSResponder implementation. By sending a maliciously crafted packet, an attacker on the local network can trigger the overflow which may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue by performing additional validation when processing UPnP protocol packets. This issue does not affect systems prior to Mac OS X v10.4. Credit to Michael Lynn of Juniper Networks for reporting this issue.
PPP
CVE-ID: CVE-2007-0752
Available for: Mac OS X v10.4.9, Mac OS X Server v10.4.9
Impact: A local user may obtain system privileges
Description: An implementation issue exists in the PPP daemon when loading plugins via the command line, which allows a local user to obtain system privileges. This update addresses the issue through validation of user privileges. This issue does not affect systems prior to Mac OS X v10.4. Credit to an anonymous researcher working with the iDefense VCP for reporting this issue.
ruby
CVE-ID: CVE-2006-5467, CVE-2006-6303
Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS X v10.4.9, Mac OS X Server v10.4.9
Impact: Denial of service vulnerabilities in the Ruby CGI library
Description: Multiple denial of service issues exist in the Ruby CGI library. By sending maliciously crafted HTTP requests to a web application using cgi.rb, an attacker could trigger an issue which may lead to a denial of service. This update addresses the issues by applying the Ruby patches.
screen
CVE-ID: CVE-2006-4573
Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS X v10.4.9, Mac OS X Server v10.4.9
Impact: Multiple denial of service vulnerabilities in GNU Screen
Description: The screen command line tool is updated to address multiple denial of service vulnerabilities. Further information is available via the GNU web site at http://lists.gnu.org/archive/html/screen-users/2006-10/msg00028.html
texinfo
CVE-ID: CVE-2005-3011
Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS X v10.4.9, Mac OS X Server v10.4.9
Impact: A vulnerability in texinfo may allow arbitrary files to be overwritten
Description: A file handling issue exists in texinfo, which may allow a local user to create or overwrite files with the privileges of the user running texinfo. This update addresses the issue through improved handling of temporary files.
VPN
CVE-ID: CVE-2007-0753
Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS X v10.4.9, Mac OS X Server v10.4.9
Impact: A local user may obtain system privileges
Description: A format string vulnerability exists in vpnd. By running the vpnd command with maliciously crafted arguments, a local user can trigger the vulnerability which may lead to arbitrary code execution with system privileges. This update addresses the issue by performing additional validation of the arguments passed to vpnd. Credit to Chris Anley of NGSSoftware for reporting this issue.
2007年05月2日
Flickr Uploadr for Mac OS X 更新
Flickr Uploadr for Mac OS X 10.3 or higher
Version 2.3 released 1 May 2007. This is an important upgrade which is a Universal Binary application, replacing the previous PPC version. This release has options to set your uploaded images based on content filters and also has some changes that make Uploadr start up faster than before.
用舊的上傳,一直會有問題,等了好久好久,終於有新版本了...
Version 2.3 released 1 May 2007. This is an important upgrade which is a Universal Binary application, replacing the previous PPC version. This release has options to set your uploaded images based on content filters and also has some changes that make Uploadr start up faster than before.
用舊的上傳,一直會有問題,等了好久好久,終於有新版本了...
2007年04月27日
OpenSUSE drops ZENworks, opens YAST
在 DesktopLinux 上看到的 OpenSUSE drops ZENworks, opens YAST
ZENworks 或許是很好用的東西,但不一定適合 "個人" 用戶,甚至會帶來困擾
因此,OpenSUSE 會把它 drop 掉也是早晚的事
就如同 RHEL 跟 Fedora 一樣,一個是用 up2date 一個是用 yum
而 up2date 的後端用的是 Satellite Server,可以用來管理及佈署所有 Clients (RHELs) 的套件管理、更新、狀態監控等等
這對於一個手邊常常要管理 n 台機器的人 (像我本身) 來說,是很有用的,但對於手邊只有一、兩台機器的人來說,不一定好用
而 Novell 的 ZENworks 是比較像是 Satellite Server 的東西,拿去給一般使用者用,結果就是罵聲連連了
因此,分開也好...
ZENworks 或許是很好用的東西,但不一定適合 "個人" 用戶,甚至會帶來困擾
因此,OpenSUSE 會把它 drop 掉也是早晚的事
就如同 RHEL 跟 Fedora 一樣,一個是用 up2date 一個是用 yum
而 up2date 的後端用的是 Satellite Server,可以用來管理及佈署所有 Clients (RHELs) 的套件管理、更新、狀態監控等等
這對於一個手邊常常要管理 n 台機器的人 (像我本身) 來說,是很有用的,但對於手邊只有一、兩台機器的人來說,不一定好用
而 Novell 的 ZENworks 是比較像是 Satellite Server 的東西,拿去給一般使用者用,結果就是罵聲連連了
因此,分開也好...
2007年04月20日
Apple Security Update 2007-004
建議所有使用者都安裝 Security Update 2007-004,它為以下組件增進了安全性:
AFP Client
AirPort
CarbonCore
diskdev_cmds
fetchmail
ftpd
gnutar
Help Viewer
HID Family
Installer
Kerberos
Libinfo
Login Window
network_cmds
SMB
System Configuration
URLMount
Video Conference
WebDAV
若要關於此“更新”的詳細資訊,請參訪網站:
http://docs.info.apple.com/article.html?artnum=61798-yh.
AFP Client
AirPort
CarbonCore
diskdev_cmds
fetchmail
ftpd
gnutar
Help Viewer
HID Family
Installer
Kerberos
Libinfo
Login Window
network_cmds
SMB
System Configuration
URLMount
Video Conference
WebDAV
若要關於此“更新”的詳細資訊,請參訪網站:
http://docs.info.apple.com/article.html?artnum=61798-yh.
2007年04月19日
Parallels Desktop vs VMware Fusion
在用了一陣子的 Parallels Desktop 後,對 Parallels Desktop 的不爽終於讓我在今天把它從 MacBook 中移除了
取而代之的則是 VMware Fusion beta 3
因為 Parallels Desktop 不知道改了什麼有的沒的,造成我現在 Windows 連開機都開不了
最後,只好把 BootCamp Partition 砍掉重練
不想再用 Parallels Desktop,試試 VMware Fusion 的結果,讓我很滿意
就系統的 Loading 來說:
在執行 Parallels Desktop 時,吃掉一大堆的系統資源,會造成好幾分鐘,我的 MacOS 連動都不能動...XD
這是讓人無法忍受的
但改用 VMware Fusion 之後,完全沒影響,且系統穩定很多
而且用 VMware Fusion 時,很順都不會有 delay 等狀況
雖然 Parallels Desktop 的 Coherence 很酷,但不實用
如同這篇所說的:
http://www.algorithm.com.au/blog/files/vmware-fusion-beta-3-vs-parallels.html
取而代之的則是 VMware Fusion beta 3
因為 Parallels Desktop 不知道改了什麼有的沒的,造成我現在 Windows 連開機都開不了
最後,只好把 BootCamp Partition 砍掉重練
不想再用 Parallels Desktop,試試 VMware Fusion 的結果,讓我很滿意
就系統的 Loading 來說:
在執行 Parallels Desktop 時,吃掉一大堆的系統資源,會造成好幾分鐘,我的 MacOS 連動都不能動...XD
這是讓人無法忍受的
但改用 VMware Fusion 之後,完全沒影響,且系統穩定很多
而且用 VMware Fusion 時,很順都不會有 delay 等狀況
雖然 Parallels Desktop 的 Coherence 很酷,但不實用
如同這篇所說的:
http://www.algorithm.com.au/blog/files/vmware-fusion-beta-3-vs-parallels.html
2007年04月10日
MacFUSE and MacDrive
因為換了 MacBook 後,有用 BootCamp 裝了 Windows
因此,在 MacOSX 下就有讀及寫 NTFS 的需求 (FAT32 太爛了,又不支援超過 2G 大檔)
而我的外接硬碟,則是一律採用 HFS+ 的檔案系統,因此,在 Windows 下也有讀及寫 HFS+ 的需求
1.MacFUSE + NTFS-3G:
用來解決在 MacOSX 底下 "寫入" NTFS 的需求
Open Source 的 Project and Free
所需檔案:
到 http://code.google.com/p/macfuse/downloads/list
下載 MacFUSE-Core-0.2.x.dmg 回去安裝
SpotlightFS-0.1.0.dmg 跟 sshfs-0.1.0.dmg 則視需求看要不要下載
接著到 http://shadowofged.blogspot.com/2007/03/ntfs-3g-for-mac-os-x.html
下載 NTFS-3G for Mac OS X 請直接下載 NTFS-3G + MacFUSE Tools (兩個都會用到)
依序都安裝好後 reboot 過後,也不用做什麼動作,系統會自動以 NTFS-3G 來 Mount NTFS
所以就可以直接讀寫了,效果還不錯 (不過,寫入的速度慢了點,我測試約 1.xMB/sec)
2.MacDrive
至於在 Windows 底下要讀寫 HFS+ 目前我還沒找到任何 free 的軟體,都是要錢的
如 MacDrive、MacDisk 等都是,不過,至少可以下載來試用 30 天
因此,我是到 http://www.mediafour.com/ 下載 MacDrive
裝好後,就可以存取 HFS+ 的外接硬碟了...
看來看去,還是 Linux 最方便,可以直接讀寫 HFS+,加上 NTFS-3G 也可以直接讀寫 NTFS
因此,在 MacOSX 下就有讀及寫 NTFS 的需求 (FAT32 太爛了,又不支援超過 2G 大檔)
而我的外接硬碟,則是一律採用 HFS+ 的檔案系統,因此,在 Windows 下也有讀及寫 HFS+ 的需求
1.MacFUSE + NTFS-3G:
用來解決在 MacOSX 底下 "寫入" NTFS 的需求
Open Source 的 Project and Free
所需檔案:
到 http://code.google.com/p/macfuse/downloads/list
下載 MacFUSE-Core-0.2.x.dmg 回去安裝
SpotlightFS-0.1.0.dmg 跟 sshfs-0.1.0.dmg 則視需求看要不要下載
接著到 http://shadowofged.blogspot.com/2007/03/ntfs-3g-for-mac-os-x.html
下載 NTFS-3G for Mac OS X 請直接下載 NTFS-3G + MacFUSE Tools (兩個都會用到)
依序都安裝好後 reboot 過後,也不用做什麼動作,系統會自動以 NTFS-3G 來 Mount NTFS
所以就可以直接讀寫了,效果還不錯 (不過,寫入的速度慢了點,我測試約 1.xMB/sec)
2.MacDrive
至於在 Windows 底下要讀寫 HFS+ 目前我還沒找到任何 free 的軟體,都是要錢的
如 MacDrive、MacDisk 等都是,不過,至少可以下載來試用 30 天
因此,我是到 http://www.mediafour.com/ 下載 MacDrive
裝好後,就可以存取 HFS+ 的外接硬碟了...
看來看去,還是 Linux 最方便,可以直接讀寫 HFS+,加上 NTFS-3G 也可以直接讀寫 NTFS
![[Syndicate this site]](http://cdn.rimg.tw/images/blog/rss.gif "Syndicate RSS feed"){kind=small}
![[Syndicate this site]](http://cdn.rimg.tw/images/blog/atom.gif "Syndicate ATOM feed"){kind=small}
