Apple on Monday delivered another 41 patches to address multiple vulnerabilities in Mac OS X and Mac OS X Server including more than a few for Leopard.

The security update, which matches last month’s patch crop from Apple, features a few common threads. Among them:

• Leopard and Tiger are affected;
• The patches mostly cover flaws that allow hackers to take over your system;
• Execution holes abound throughout Mac OS X in iChat,  Core Foundation, cialis soft tablets Quick Look and Desktop Services;
• Apple has been busy on the security front. Last week, Apple delivered a Java runtime update and patched a bunch of QuickTime. QuickTime has been under fire of late.

In any case, it is recommended that you update. Here’s the laundry list of Apple’s latest round of patches.

CVE-2007-4708: This plugs vulnerability in Address Book’s URL handler. Apple says: “By enticing a user to visit a maliciously crafted website, a remote attacker may cause an unexpected application termination or arbitrary code execution. This update addresses the issue through improved handling of format strings.” Versions affected include Mac OS X v10.4.11 and Mac OS X Server v10.4.11. Anyone running Mac OS X 10.5 or later isn’t affected.

CVE-2007-4709: This one covers the Mac OS X v10.5.1, Mac OS X Server v10.5.1–also known as Leopard. The problem: “A path traversal issue exists in CFNetwork’s handling of downloaded files,” said Apple. In a nutshell, visiting a malicious Web site could allow the automatic download of files to arbitrary folders, which is a nice way of saying your computer has been hijacked.

CVE-2007-4710: This covers Mac OS X v10.4.11, Mac OS X Server v10.4.11 and doesn’t affect Leopard. Specifically, Apple is addressing ColorSync. The issue: “Viewing a maliciously crafted image with an embedded ColorSync profile may lead to an unexpected application termination or arbitrary code execution.” Leopard not affected.

CVE-2007-5847: Again, this ditty covers Mac OS X v10.4.11, Mac OS X Server v10.4.11. (See a trend here yet?). The problem is Core Foundation, which could disclose sensitive information. Leopard not affected.

CVE-2007-5848: This one covers a CUPs vulnerability in a printer driver. Apple says “a local admin user may be able to gain system privileges.” Leopard not affected.

CVE-2007-4351: Another CUPS problem and this one affects Leopard. Specifically, the OS X flavors impacted include Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5.1, Mac OS X Server v10.5.1. The update corrects for a memory corruption issue in the handling of Internet Printing Protocol tags that could lead to an application crash or arbitrary code execution.

CVE-2007-5849: Another CUPs issue affecting Leopard and Leopard Server. Apple says: “If SNMP is enabled, a remote attacker may cause an unexpected application termination or arbitrary code execution. Description: “The CUPS backend SNMP program broadcasts SNMP requests to discover network print servers.”

CVE-2007-5850: This one covers desktop services in Mac OS X v10.4.11, Mac OS X Server v10.4.11. Leopard isn’t impacted. The gist: There’s a buffer overflow problem in Finder that can lead to an arbitrary code execution. Leopard not affected.

CVE-2007-5476: Affects the Flash Player plug-in for Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5.1 and Mac OS X Server v10.5.1. There are multiple vulnerabilities addressed by Adobe.

CVE-2007-4131: This one corrects a “maliciously crafted tar archive,” an issue with GNU Tar. Affects Mac OS X v10.4.11, Mac OS X Server v10.4.11, but Leopard in the clear.

CVE-2007-5851: iChat is the issue here. The problem: A person on local network may initiate a video connection without permission. Leopard not impacted, but does cover Mac OS X v10.4.11 and Mac OS X Server v10.4.11.

CVE-2007-5853: IO storage issue where “opening a maliciously crafted disk image may lead to an unexpected system shutdown or arbitrary code execution. Leopard in the clear, but Mac OS X v10.4.11, Mac OS X Server v10.4.11 isn’t.

CVE-2007-5854: This one fixes launch services in Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5.1, Mac OS X Server v10.5.1. The problem: “Opening a maliciously crafted HTML file may lead to information disclosure or cross-site scripting.”

CVE-2007-6165: Another launch services problem, this time “opening an executable mail attachment may lead to arbitrary code execution with no warning.” Affects Leopard and Leopard Server.

CVE-2007-5855: Affects mail on Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5.1, Mac OS X Server v10.5.1. The problem: “SMTP accounts set up through Account Assistant may use plaintext authentication even when MD5 Challenge-Response authentication is available.”

CVE-2007-5116 and CVE-2007-4965: Addresses problems with perl and python, respectively. Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5.1, Mac OS X Server v10.5.1 impacted.

CVE-2007-5856 and CVE-2007-5857: Both address Quick Look vulnerabilities in Leopard. Previewing a movie can disclose sensitive information. There are also some URL access issues.

CVE-2007-5770 and CVE-2007-5379, CVE-2007-5380, CVE-2007-6077: Vulnerabilities abound in Ruby libraries and Rails 1.2.3. The first one listed impacts. Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5.1, Mac OS X Server v10.5.1. The remainder CVEs impact Leopard only.

CVE-2007-5858: A Safari fix for a information disclosure flaw. Impacts Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5.1, Mac OS X Server v10.5.1. Also impacts Safari 3 Beta on Windows XP and Vista.

CVE-2007-5859: Safari RSS has issues on Mac OS X v10.4.11, Mac OS X Server v10.4.11. Maliciously crafted feed may lead to application termination or arbitrary code execution. Leopard not affected.

CVE-2007-4572, CVE-2007-5398: Addresses Samba vulnerabilities. Impacts Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5.1, Mac OS X Server v10.5.1.

CVE-2006-0024: Addresses Shockwave woes in Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5.1, Mac OS X Server v10.5.1.

CVE-2007-3876: Apple says: “A stack buffer overflow issue exists in the code used by the mount_smbfs and smbutil applications to parse command line arguments, which may allow a local user to cause arbitrary code. Impacts Mac OS X v10.4.11, Mac OS X Server v10.4.11.

CVE-2007-5863: Even Software Update has a few flaws. Leopard impacted by “a man-in-the-middle attack could cause Software Update to execute arbitrary commands execution with system privileges.”

CVE-2007-5860: Spin Tracer flaw affecting Leopard. “A local user may be able to execute arbitrary code with system privileges.”

CVE-2007-5861: Addresses Spotlight flaws. Affects Mac OS X v10.4.11, Mac OS X Server v10.4.11.

CVE-2007-1218, CVE-2007-3798: Vulnerabilities abound in tcpdump. Affects Mac OS X v10.4.11, Mac OS X Server v10.4.11.

CVE-2007-1659, CVE-2007-1660, CVE-2007-1661, CVE-2007-1662, CVE-2007-4766, CVE-2007-4767, CVE-2007-4768: Multiple vulnerabilities plugged in XQuery. Affects Mac OS X v10.4.11, Mac OS X Server v10.4.11.

Remember that “Redmond, start your photocopiers” jibe back when Tiger was released?  Are Vista and Leopard all the proof we need that the photocopiers have been running flat out both at Redmond and Cupertino?

Oliver Rist of PC Magazine wrote a piece called “Leopard is the New Vista, and It’s Pissing Me Off” which looks at a number of similarities between the two operating systems.  But before looking at the similarities Rist offers up his assessment of the new platform:

I’m not sure what ticks me off more about Leoptard (I can’t take credit for that nickname—some Brit coined it): the fact that so many of the semi-important changes don’t work, the fact that Apple turned a stable OS into a crash-happy glitz fest, or that the annoying, scruffy Live Free or Die Hard actor infecting my TV (and our Web site, by the way) is pretending that Leopard is better than Vista. It’s not better than Vista. Leopard is Vista. And Tiger is better than both of them!

…

A month of using Leopard with the same software I had under Tiger and the OS has dumped six times. That’s six cold reboots for Oliver. Apple isn’t even honest enough to admit that Leopard is crashing: The OS just grays out my desktop and pops up a dialog box telling me I’ve got to reboot. Like the whole thing is my fault.

I’m not sure that I’d complain if my PC fell over six times a month, but then again if an upgrade had taken the platform from not crashing into crashing more than once a week, that’s something that I’d probably notice, and which would probably annoy me too.

Onto the similarities.

Wait for a Service Pack—Perpetually

This is an interesting one:

Even our own reviewer, who loves Leopard, says not to upgrade until 10.5.1. And now that Apple has coughed that up, he’ll probably say to wait for 10.5.2. Or .3. Now where have I heard that advice before? Oh yeah, every time I reviewed Vista.

What makes it worse is this convoluted argument that my Apple friends give me: They’re more upset at Microsoft on account of it being in perpetual service pack limbo because Vista was supposed to be a ground-up redesign, whereas Leopard is really just a juicy point release. That makes zero sense to me. As far as I’m concerned, they both suck.

My guess is that operating systems have become so complex that serious bugs will be inevitable in the x.0 release.  If you want any guarantees relating to compatibility or stability, wait and see what other suckers users have to say.

The other issue that’s facing Apple is that the Mac ecosystem is growing.  One the population consisted of a bunch of elitists (some would say self-proclaimed elitists) who subscribed to the teachings of the Cult of Mac.  Now that core of devoted followers is being diluted by … ugh … consumers.  These people show little loyalty and just want things to work, and when they don’t work, they complain. 

Also, as the Mac ecosystem grows it has to support more and more hardware and software.  The problems of scale (in the form of reduced compatibility and reliability) that have caused problems for Windows users for years are now causing problems for Mac users.  The OS is a victim of its own success.

Needless Graphics Glitz

Poof, here’s Leopard, and the first thing the Apple folks want to show me is window transparency. Now all of a sudden that’s the coolest thing ever and an obvious example of cutting-edge OS evolution. I had to check to make sure my ears were working when I heard that one.

Does all this interface glitz that Microsoft and Apple have crammed into their respective OSes make the OS any better of easier to use?  I have to be honest and say that I’m not all that convinced.  Sure, it looks cool but there’s much more to usability than how something looks. 

The other issue is that while the interface is the bit that you see and interact with, any changes done to it can’t cialis order online really be considered to be improvements, because while some people will hail them the best thing in the history of best things, others will think that they suck and impact productivity.  When I look at the list of features that were dropped from Vista/Longhorn, I would have happily exchanged Aero for, say, WinFS.  The more we become focussed on the packaging, the more we lose sight of what’s important.

Pointless User Interface “Fixes”

Who’s responsible for Apple’s redesigned dock? I could understand a programmer thinking a mirrored dock would look great on his résumé. But I can’t imagine that a UI expert looked at it and said it was more functional than Tiger’s. A stupid cornflower-blue fuzzball is no replacement for Tiger’s clear, dark arrow that let me know what apps I had open. I could actually see the arrow. The blue fuzzy thing just blends in with the pointless mirrored reflections of the app icons, so now I’ve got to squint for the same information.

Again, it’s style over function. 

Nuked Networking

Leopard’s networking sees the physical part of the network just fine, wired or wireless. And if there’s an AFP share, that pops up like a puppy for a doggie treat. But the Web abounds in complaints—plaintive cries as to why Leopard seems to ignore Windows shares, and semi-effectual fixes. Or it sees Windows shares for a little while and then in a fit of pique decides to drop them again. It’s like the French waiter of networking. Oh, but who cares, Oliver? After all, it’s not as if networking were in any way related to business functionality. Or that interacting peaceably with Windows is in any way required. As long as we can talk to the iPod and Apple TV we’re good, right?

It seems to me that neither Apple nor Microsoft has done a good job of revamping the network stacks – I find that both Vista and Leopard are picky when it comes to seeing other systems.  For people who are trying to make these platforms work (as opposed to just playing with them) this is a real deal-breaker.  Networking is so critical to both home and enterprise users that to get it wrong, and so badly wrong, is simply incredulous.

Bundled Apps as New Features That Suck

Sidebar is a decent example of a New Feature That Sucks, but SideShow is a great example.

…

For Leopard, the sad bundled app-as-feature is Time Machine. To hear Mac moonies tell it, this is the best thing to happen to backup since the letter b. In reality, however, it sucketh and it sucketh huge.

Yep, Sidebar sucks.  SideShow sucks whole lemons.  But I have to say that while Time Machine could be a lot better, it’s not the suckiest bundled Leopard app by a long shot.  That prize in my opinion has to go to iTunes.

Conclusion

I’ve come to the conclusion that what’s holding back adoption of Vista is XP.  XP was around for too long, became too entrenched and was too good in comparison to Vista.  I’m detecting hints that the same might be true for Tiger.  It was good and around for a lot longer than any of the previous Mac OS X incarnations, and that allowed it to become the norm.  The longer that something is considered the norm the more resistance there is to change.

Thoughts?