(InfoWorld) - Apple on Thursday unveiled the year's fifth major security update for Mac OS X to patch 17 vulnerabilities, but fewer than one-third of them could lead to hackers injecting their own code into a compromised system.

Thursday's release also marked the first time this year that an operating system security update from Apple did not patch a vulnerability disclosed by the January Month of Apple Bugs project.

If Apple sorted bugs by a ranking system -- as do other vendors, including Microsoft Corp. -- most of the bugs fixed by Security Update 2007-005 would be rated less than critical. In eight out of the 17, for example, exploits could do no more damage than to generate a denial of service of, or crash, the affected component. Microsoft typically pegs such vulnerabilities as "important" rather than "critical." Only five of the patched vulnerabilities could result in an attacker executing his own code.

Among the serious bugs is one in how Mac OS X 10.4, known as Tiger, handles PDF files. "By enticing a user to open a maliciously crafted PDF file, an attacker could trigger the overflow, which may lead to an unexpected application termination or arbitrary code execution," Apple's advisory said. Attacks sporting this strategy, although rare on Macs, are common threats faced by Windows users, who have had to learn -- sometimes unsuccessfully -- to be wary of unexpected file attachments.

Another dangerous flaw fixed Thursday exists in the code that maps ports on home networks in iChat, Apple's instant messaging service and software. An attacker need only send a malformed packet to trigger a buffer overflow, which could then be used to add malicious code to the Mac. The hacker, however, must have access to the local network to exploit the bug.

Other parts of Mac OS X that were patched Thursday include BIND (Berkeley Internet Name Domain), the de facto standard Domain Name System server software, which was patched against four vulnerabilities; the Ruby CGI library (two vulnerabilities); and Fetchmail (one vulnerability).

Although Thursday's update pushed Apple's year-to-date patch total to over 100, there was a bright side: It included fixes for fewer flaws than last month (25) and the month before (45).

The security update can be downloaded from the Apple site or using Mac OS X's built-in update service.

ADVERTISEMENT

IBM Information On Demand 2006
Industrial Industry Leaders, please join us at IBM's premier information management global event, IBM Information On Demand 2006, October 15-20, Anaheim, CA. More IBM business and technical solutions content in one place than ever before! Select from over 800 sessions. Register today!

(InfoWorld) - Facebook became the latest entrant into the online video battle Thursday, opening its Facebook f8 platform to outside developers and partners in an effort to gain ground on social networking rivals.

The move allows third parties to develop functions for Facebook, including video, advertising, and retail capabilities. Part of the system will use the company's own markup language, creatively titled Facebook Markup.

Since News Corp. bought rival MySpace in 2005, Facebook has struggled to keep pace. Last year, Facebook declined a $1 billion acquisition offer from Yahoo, instead choosing to go it alone in hopes of a better offer or greater solo success. Thursday's announcement could push Facebook more towards becoming a commercial provider of social networking tools, rather than attempting to take on MySpace as a consumer play.

Allowing outside parties to begin selling advertising on Facebook could also help the company to monetize its audience, estimated by comScore Networks at just over 23 million visitors per month. Self-starting advertisers and retailers could build their own applications or retail functions, saving Facebook the effort while still providing revenue.

AP - An independent European Union panel is investigating whether Google Inc.'s Internet search engine abides by European privacy rules, which tend to be stricter than those in the United States.

Microsoft has announced a series of initiatives that will open up its web identity management frameworks and make it easier for other organizations and technologies to interoperate with them.

Read More...

Today, bowing to customer demand, Dell launched a new series of desktops featuring the free, open-source Ubuntu operating system.

To my knowledge, this is the first time Dell has ever offered any non-Microsoft operating system on their desktops. Until today, it was quite literally impossible to decline the Windows license when you bought a desktop from Dell. If you bought a desktop PC from Dell, you got -- and paid for -- a copy of Windows, whether you wanted it or not. This is commonly referred to as "The Microsoft Tax". Offering a free desktop operating system is effectively the same thing as selling hardware without any operating system.

Whether you're a fan of the latest open source operating systems, or just a fan of plain old-fashioned consumer choice, the end of the Microsoft tax is a win for customers. I was a little worried that Dell would charge extra for the privilege, but it looks like they played fair and square:

	Dell Dimension E520	Dell Dimension E520N
CPU	Core 2 Duo E4300 1.86 GHz	Core 2 Duo E4300 1.86 GHz
RAM	1 GB DDR2	1 GB DDR2
Hard Drive	250 GB	250 GB
Media	CD-RW/DVD	CD-RW/DVD
Video	Integrated Intel GMA X3000	Integrated Intel GMA 950
OS	Windows Vista Home Premium	Ubuntu Desktop Edition 7.04
	$679	$599

The hardware is essentially identical. We can infer that Dell's price for a Windows Vista Home Premium license is $80. An OEM copy of Home Premium runs about $129, so it's cheaper to buy the license from Dell than it is to buy one yourself. But if you have no intention of running Windows, you just saved eighty bucks.

Kudos to Dell for doing the right thing and ending the Microsoft Tax. It's also quite possible today will be looked back on as an important turning point in the history of desktop computing.