itsibts.com

“Yet even ComScore itself is re-evaluating its own data; not saying it got it wrong, but saying instead that the big January drop might come from improvements in Google’s click programs and not because of some big drop off in business. ComScore says that since it’s not tracking the same kind of drop off in business at other search engines, the issues might be from Google click improvements alone, and not some macro-economic factors instead.”

For most of his tenure, Google CEO Eric Schmidt has had an easy time of it. If he’s as good a manager as his press clips claim, now he’ll have a chance to earn that reputation. History may not repeat itself exactly but if the economy slips further, a lot of companies will suffer more pain before the selling comes to an end.

“It is entirely possible, if not likely, that the improved revenue yield will continue to deliver strong revenue growth in the first quarter. Separately, there is no evidence of a slowdown in consumers clicking on paid search ads for rest of the U.S. search market, which comprises 40 percent of all searches.”

Earlier in the week, ComScore reported that Google’s paid clicks dropped 7 percent between December and January. That was enough to panic already nervous shareholders who proceeded to dump Google’s stock in one of Wall Street’s (increasingly common) panics.

But Friday morning the Internet ratings agency issued a brief statement meant to contradict the impression that it believes Google has sprung a leak.

“This week, as analysts have rushed to check in with search engine marketers, we have heard reports of weakness in financial services, real-estate, and other categories. Athough Google’s click improvement programs are almost certainly contributing to the paid-click fall-off, it seems unlikely that they account for all of it. We therefore continue to view the ComScore report as supporting the theory that Google is exposed to economic weakness.”

That’s one heck of a circumlocution: Maybe it’s me but it recalled that signature line from the Wizard of Oz: “Don’t pay attention to the man behind the curtain.” For the record, ComScore’s PR department told me that it decided to publish the statement because journalists were drawing incorrect conclusions from the data. The spokesman also said Google had not pressured the ratings agency to act.

ComScore’s “statement of analysis” was good enough to convince CNBC’s Silicon Valley reporter Jim Goldman, whose reliably chirpy optimism about tech stocks seems to gain in the face of each massive sell-off. On his blog, he wrote:

That settles it then. Happy days are back? Well, not exactly. Goldman is part of the perma-bull crowd which predominates on CNBC. This bunch rarely gets out ahead of an economic trend–especially when the indicators start pointing south. I’m not arguing that Google’s franchise is in deep trouble. At least, not yet. But who still believes that the company’s search-based advertising business will remain intact in the face of a recession? Henry Blodget over at Silicon Alley Insider sure isn’t buying it:

Including Google.

“…the evidence suggests that the softness in Google’s paid click metrics is primarily a result of Google’s own quality initiatives that result in a reduction in the number of paid listings and, therefore, the opportunity for paid clicks to occur. In addition, the reduction in the incidence of paid listings existed progressively throughout 2007 and was successfully offset by improved revenue per click.

Since the company went public in 2004, Google has become a Zelig-like metaphor, for bulls and bears. Both sides project what they want. The optimists justified a $700-plus stock price because they expected the good times to continue. The pessimists questioned why you would value a stock that highly with the housing and financial sectors of the economy blowing up and no end in sight. Where the bulls saw clear skies, the bears saw clouds. And so far, there’s little argument about who is being proved right as of now.

Though Lenovo has been nipping at its heels, Acer’s most direct competition in the U.S. is the two big guys–Hewlett-Packard and Dell. “HP has a lot more experience with consumers and is going to try to defend that turf. It’s a pretty dynamic competitive space all around,” Loverde said.

“There’s some risk of having an impact on PCs, but a certain amount of it is because we just went through the holiday season and Wall Street is under pressure,” he said.
“If you look at the broader technology trends…some recovery in 2007, commercial Vista adoption, pretty strong portable (PC) adoption, (and) we’re still getting lower prices and new users…A number of tech environment factors that suggest we should expect still some pretty solid growth. The risk that we might not maintain double digit growth in the next couple years would be if we had a recession and consumer spending really started to cut back.”

Though there’s been ample hand-wringing over interest rates, credit problems, and weak retail sales, the computing industry is staying immune so far, according to Loverde.

Acer also made a big push in retail this year, continuing the rapid gains in the U.S. (it’s grown 294 percent since the same quarter a year ago), and appears to have finally nailed down its coveted No. 3 spot in the worldwide ranking of top PC vendors. When combined with Gateway, Acer shipments achieved 9.6 percent share worldwide in Q4, compared with 6.9 percent a year ago.

Though the market for computers–and both business and consumer technology across the board–appears healthy, it could drop off next year. But thus far, there are no signs of it in the PC space.

HP, the worldwide PC leader for more than a year now, saw its shipments rise both at home and abroad, though it was somewhat affected by stagnating growth in Europe, the Middle East, and Africa, according to IDC. It now has 19 percent of the worldwide market.

“From a Dell perspective, part of going from minus-5-percent to 15-percent positive (growth) this quarter is the fact that year-ago shipment was pretty low,” said Loren Loverde, director of IDC’s quarterly PC report. “So some of that is factoring in, but they have also launched a lot of new products, and lot of new (retail) channel arrangements.”

Dell actually expanded its market share in the fourth quarter, after a string of disappointing quarters while it reshuffled its ranks and its product lineup. Dell used momentum derived from its new retail push to drive its shipments up by more than 15 percent in the quarter–growth far ahead of the rest of the U.S. The Texas PC maker finished the year with 29.6 percent of the total PC market in the U.S. in the fourth quarter, IDC said.

In the U.S., it’s Dell (31.4 percent market share), HP (26.1), Acer (9), Apple (6.1), and Toshiba (5.3). Apple has stretched its share of the U.S. market to 6.1 percent, from 5.1 percent a year ago. Gartner also notes that for the second consecutive quarter mobile PC shipments exceeded those of desktops.

Despite some anticipation of weakening U.S. consumer confidence, PC shipment growth here nearly doubled between the third and fourth quarters of 2007, to reach 8.8 percent, according to IDC’s Worldwide Quarterly PC Tracker report released Wednesday.

Lenovo has been going strong for three straight quarters. It ended the year behind Acer with 7.5 percent of worldwide PC shipments. It’s not in the top 5 of vendors in the U.S. market, but recently introduced its new IdeaPad consumer notebook line, which the company hopes will follow in the tradition of its business-oriented ThinkPad line of laptops.

Rival analyst firm Gartner ranks the companies in the same order as IDC, according to findings also released Wednesday: the worldwide leader is HP (with 18.2 percent market share), followed by Dell (14.3), Acer (8.9), Lenovo (7.4), and Toshiba (4.0) to round out the top 5.

The TP series home theater PC is now a Blu-ray player too.

If the Eee PC just catches on with Linux developers, enthusiasts, and the tech-savvy early adopter crowd, that’s fine by him. “But if mainstream buyers buy it, then, whoa,” Abary said.

(Credit:
Erica Ogg/CNET News.com)

And even with just the open-source version available stateside, the numbers say it’s striking a nerve: the company reported moving 350,000 units of the Eee in the first quarter it was available last fall.

So should Sony, Hewlett-Packard, Dell, and their ilk be frightened of Asus? So far, the version of the Eee PC in the U.S. only comes with Linux, but that will soon change. Japan got its Windows XP version last month, and the U.S. should be getting one in the next few weeks. (See the full review of the Eee PC by CNET’s Dan Ackerman.)

LAS VEGAS–As a computer, the Eee PC from Asus is intended to be the opposite of intimidating–it’s made for children after all. But its potential as a market force is apparently giving chills to its larger industry peers.

Though it was released in the fall, the all-in-one PC from Sony, the LT, is part of the same strategy. Again, though it’s a PC like Gateway’s One or Dell’s XPS One, Sony positions the product as a TV with PC capability instead of the other way around. Doing so is likely to lure more high-end customers, with the LT’s Bravia-like bezel echoing Sony’s line of LCD TVs.

But it’s not all about appearances. Sony is also pushing its lineup of home theater PCs, which are not primary PCs, but still start at $1,699.

(Credit:
Erica Ogg/CNET News.com)

Sony has always positioned itself as a premium brand, and will continue to do so, as was evident in the rest of its PC offerings on show here.

Sony also said that Vaio as a brand sells particularly well with women, which could also explain Sony’s increased emphasis on personalization. Though 80 percent of notebooks sold industrywide are owned by men, Abary estimated, Vaios’ percentage ownership by men is in the low 70s, indicating a higher-than-average ownership rate by women.

Though Sony had earlier indicated that its TP home theater PC (that white round one), didn’t sell particularly well last year, it still decided to bring it back for Round 2. It’s still round, but now it’s got some high-definition guts. Sony beefed it up with a Blu-ray Disc player, Intel Penryn processors, and two Cable Card tuners. It’s also now available in black for $1,699 to $3,000.

The company has been at the forefront of the uber-personalization trend that’s taken over the notebook industry. By charging more, the company has more leeway with the options it can offer customers. It began doing colored laptops three years ago and is now branching out into personalized patterns, and–as suspected–textures.

“If (the Eee PC from) Asus starts to do well, we are all in trouble. That’s just a race to the bottom,” said Mike Abary.

People who buy their Vaio at the SonyStyle store online have as many as 36 different choices for personalizing their laptop. The Graphic Splash line has three different patterns and multiple color combinations, as well as a choice of font on the keyboard. “That’s what consumers really, really want,” Abary told a gathering of reporters earlier in the day.

He means that if mainstream PC buyers start to find their needs met by a lightweight, simply featured, inexpensive portable, it’s likely to impel all of the major players in the industry to pile on by lowering their prices. And that’s in an industry with already low margins for retailers and manufacturers.

Here at Sony’s annual Open House event, the senior vice president of Sony’s IT product division said the tiny $299 notebook could potentially shift the entire notebook industry.

(Credit:
Erica Ogg/CNET News.com)

As for Sony, though it did start offering lower-priced notebooks last year in the $800 range, don’t expect the company to go any lower just yet. Abary says so far the company is just “keeping an eye” on the Eee’s activity.

A Vaio to match your crocodile-print shoes.

The Eee PC at its U.S. launch last fall.

Sony’s not the only one taking notice. Acer is reportedly readying an Eee competitor, and the yet-to-be-officially-announced HP Compaq 2133 was developed with the Eee firmly in mind.

I had never seen an operation like this before, which surprises me. I heard afterward that this is something that’s popular on river-rafting routes, but I’d not seen it on popular highways. And being from the San Francisco Bay Area, which is of course close to the Pacific Coast Highway, that surprised me.

Cannon says that every day he sets up in a different place, something that’s not hard, given that this stretch of road has seemingly thousands of tight curves offering the kind of two-way vantage point he needs. He’s looking for good lighting and good background, so that he “might get a tight shot, but still get some of the background.”

I stopped at one of the curves along the way to talk with him about what he was doing and why.

Known as “The Dragon,” the road is a longtime favorite, especially among motorcyclists, and hundreds, if not thousands, of people navigate its windy curves every day.

(Credit:
Daniel Terdiman/CNET News.com)

And how?

Head on out to the border region between Tennessee and North Carolina, just on the edge of Great Smoky Mountain National Park. There, you’ll find a never-ending supply of people riding their motorcycles and driving their
cars along one of the most famous and beloved stretches of road in the South.

“It would be better if they wouldn’t,” he said, ever the photographer.

Darryl Cannon of Killboy.com takes thousands of pictures daily of drivers and motorcyclists on U.S. Route 129 on the Tennessee/North Carolina border. The road is popular, especially with motorcyclists, and Cannon and others in his company make full-time livings selling the images they take. At least three other operations do the same thing in the area.

Cannon said that plenty of people do that, some just to say hi.

That’s what Cannon, his wife, and a couple of friends are doing. Full time, he said.

For me, when I find myself being photographed without my consent, I usually make a gesture that I hope will render the picture worthless. It’s not what you think. And I guess I’m not the only one who does things with his hands.

After he and his team finish taking their pictures–he uses a Canon 40D and has “whole pockets of” 4GB compact flash cards–they go home and laboriously sort them and post them. They organize them by date, and then by category: “Cars-Trucks,” “Motards-Dirtbikes-Trikes-Scooters-Sidecars,” “Touring Bikes,” etc.

This is definitely a business based on direct-mail type of response. After all, there is a steady stream of traffic, and there’s a lot of competition. Yet Cannon said he’s been doing this since 2003, so I guess he sells enough $6 CDs of digital images–as well as more expensive coffee mugs, prints, and other manifestations of peoples’ ride along the famous road–to make it worth his while.

At first, as I drove along this stretch of highway as part of Road Trip 2008, I was confused as to what was going on. But after seeing two such vehicles at corners, each of which had a URL emblazoned on the side, I figured it out: the photographers were taking pictures of the riders and drivers, and then later posting them online, hoping that people will visit their sites, see pictures of themselves on the famous road, and decide to fork over a few bucks for a high-res image.

(Credit:
Daniel Terdiman/CNET News.com)

Cannon and others park themselves at strategic curves along the famously windy road to best capture drivers coming from either direction. They will also position a vehicle with a URL on its side so drivers can see where they can go to find their picture.

He said he works about 100 hours a week.

He said that he routinely shoots thousands of pictures a day and sometimes, if there’s a motorcycle rally in the area, can take as many as 17,000 in one shift.

FONTANA VILLAGE, N.C.–If you’ve got a fancy digital SLR and have been wondering how you could make money with it, I might have just the suggestion for you.

As a result, people like Darryl Cannon of Killboy.com have proliferated. They park their cars at strategic curves in the road where they can shoot pictures of drivers coming from either direction, and then they sell the drivers–at least some of them–the pictures.

But it’s the extreme popularity of this stretch of US-129 with motorcyclists that makes Cannon’s business possible. These are riders who travel great distances to make their way through the Dragon, and enough of them seem to like the idea of buying a picture of themselves doing so to create a business. I suspect the same is true in other parts of the country that bikers frequent.

While so many pundits and otherwise wise people have expounded at great and critical length on the allegations of drug-fueled friendsy leveled at Broadcom founder, Henry Nicholas, has anyone stopped to consider just what a dedicated CEO he might have been?

It is easy to mount one’s 18-hands stallion and scoff at his methods.

Supposedly, he showered clients with chemical and human pleasure providers to close deals.

Some say he openly authorized cash to be paid to drug couriers as well as pizza delivery boys.
And, most bizarrely, he is accused of smoking so much marijuana on a plane that the pilot had to don an oxygen mask in order to resist dopiness at the controls.

It’s hard to know what drives most people. The cranial machinations of Jennifer Aniston and Bill Belichick, for example, have always perplexed me.

But suppose for a moment that, despite looking a little like Tom Selleck after cut-price surgery, Mr. Nicholas was determined to be the ultimate embodiment of everything Broadcom stood for.

Broadcom’s tag line is “Connecting Everything.”

Is it possible that Mr. Nicholas, in his determined quest to connect humans to his chips, humans to other humans and humans to their inner other humans (hence the pilot episode), simply got carried away by an enthusiasm for his organization not seen since Dave Thomas of Wendy’s burger chain (who appeared in over 800 commercials for his company) or perhaps even Pope John XII?

(Credit:
Tom Purves)

Pope John was smoked into the Papacy when he was 18 and appeared to decide that the Organization needed to be an expression of his own youthful exuberance.
It all seemed to go a little far.

He received a letter from the German Emperor Otto I: “Everyone, clergy as well as laity, accuses you, Holiness, of homicide, perjury, sacrilege, incest with your relatives, including your sisters.”

But no one considered that, in an attempt to counteract deleterious forces, he might have been merely researching the seven deadly sins so as to know how to better combat them for the benefit of his organization.

When I advise clients about marketing and creativity, I always talk to them about deciding what their company stands for, how their company wants to be seen and trying to protect and embody that vision as much as possible.

Business is a peculiarly seductive activity and who knows just how deeply Mr. Nicholas might have been gripped by the need to deliver on his corporate vision?

He clearly had circumstances stacked against him. His company was based in Orange County.

Anyone who was privileged enough to watch Fox’s seminal drama series “the OC”, or, indeed, Bravo’s “the Housewives of Orange County”, knows just how difficult connectivity is to achieve in that especially cold-hearted and forbidding part of America.

Could it be that, in his enthusiasm to embody his company’s promise, to connect everything, Mr. Nicholas simply became disconnected from himself by the monstrous impossibility of his task?

commentary

This is my first trip overseas with my
iPhone, and it’s hard to express in polite language how disappointed I am with Apple’s international data roaming packages. I say “Apple’s” instead of “AT&T’s” because with my old Blackberry on AT&T I didn’t have the problem, so I’m laying the blame at Apple’s feet.

What’s the problem? The cost. With my old Blackberry, I paid an additional $9.95/month for unlimited data while roaming internationally. With my iPhone, I pay $24.99 per month for just 20MB. Scratch that: Last night I upgraded to the only other plan Apple/AT&T offer: $59.95 per month for 50MB of data (on top of the $40/month I already pay for domestic data).

Sound like a lot of MB? Nope. I hit nearly 10MB in just one day, and that’s with Saturday email traffic (not much) and very, very little web browsing. No pictures or attachments.

Apple fan that I am, I’m trying to think of a good reason why it should be so much more expensive to access email and browse the web internationally on my iPhone than it was with my Blackberry. (Same sites, same email volume.) It has put a huge crimp on how I use my iPhone. I’m actually frightened to use it at all, lest I go over the 50MB limit (when overage prices hit $5 to $20 per MB(!!!)).

I love my iPhone, Apple. I’d just like to be able to use it internationally. On the plans you currently offer through AT&T, I can’t.

P.S. Don’t tell me this is AT&T’s fault. Apple has had so much control over everything to do with the relationship that if international roaming is ridiculously pricey, it’s with Apple’s blessing or direction.

In the middle of May, Yahoo sent out a call to developers to develop customized search results using their SearchMonkey platform. Today, Yahoo announced the availability of Yahoo! Search Gallery. Search Gallery serves as a showcase for custom search add-ons that have been developed, such as Yelp, Last.fm, and LinkedIn.

Yahoo has a great concept here and one that could greatly improve the search experience for users. I was genuinely excited that customized results from sites that I frequent would magically find their way into my regular searches. While I still think that this is a good idea, the actual implementation needs some work.

Searching for restaurants, names, and other things that you would expect to throw back customized search results often does not. In the case of a search for my name, the LinkedIn entry was thrown in at the bottom of the page. Since I had explicitly told Yahoo Search that I want information from LinkedIn to show up in my searches, I would expect them to be given “above the fold” priority.

The current implementation requires you to manipulate your searches to get any customized results, in many cases.

I had to fool around with it for awhile before it would throw back a customized result for one of my favorite local restaurants, which is absolutely listed on Yelp, and even then it would not give me anything. It was not until I added the word “yelp” to the search that I saw a customized listing and it was a local.yahoo.com one instead of one from Yelp. There are obviously restaurants that custom results work for, but there is no reason why it shouldn’t work on any Yelp listed restaurant that comes to mind.

All complaints aside, this technology is definitely something to get excited about, but the implementation (whether on Yahoo’s end or the 3rd party developer’s end) is just not there quite yet. Look for this to make a big impact when they finally get it right.

I’m here at the SNAP Summit in San Francisco. Most of the people in the overflow crowd are trying to figure out how to make their sites more social–how to tap into the viral effect that’s busted companies such as RockYou and Slide into the big leagues.

Joshua Porter, who runs Bokardo Design, launched the day by offering up five principles for effective social design. The undercurrent of his talk: Serve your users and they’ll keep coming back. That’s a simple thing to say, of course. Here are Porter’s five tips to making it real:

Personal value precludes network value: Paradoxically, to make a strong social site, you’ve got to start by making a good personal site. If the features you offer don’t serve a solo user, it’s unlikely your users will stick around long enough to become social. Examples: YouTube and Flickr both work as utility sites for individuals, even without the social component. Most users on Deli.cio.us start by using the service as a bookmark saver. The social angle comes later.

Joshua Porter

(Credit:
Rafe Needleman / CNET)

Tie behavior to identity: In other words, what you do on the site should describe you more than what you say about yourself in your profile. Amazon and eBay aren’t Web 2.0-era social sites, but users’ identity on these sites is very strong, based on feedback they leave on products and sales.

Give recognition:
Digg leveraged its users’ competitiveness to get on the front page of the site. Its top users eventually formed cliques to get and hold these positions. It was a good strategy to get the community going, but eventually Digg turned off the recognition feature since it was reinforcing the influence of the grandfathers of its network, and making it too hard for new people to rise up in the rankings. The challenge with recognition programs, Porter implies, is that you have to make them meaningful and desirable, but also temporary. Once a user is recognized as a top contributor, let them fall off the map if they don’t stay active.

Show causation: If you’re going to ask people to participate, make it clear what participating does for them. Netflix, for example, gives users better recommendations when they rate DVDs.

Leverage reciprocity: This is Porter’s fancy way of saying that you want to appeal to people’s narcissism. People contribute to social sites in large part because they want to see what other people say about their contributions. Make it easy for people to interact on that level–by leaving feedback, compliments, awards, and so for each other.

Of course, an iTunes open marketplace is the last thing that the studios would like to see right now, and all accounts seem to indicate that Steve Jobs and Apple have been courting Hollywood for some time. If Jobs were to make such an announcement the same day that he announces movie rentals, heads in Hollywood would surely roll.

Apple has sold themselves as the brand of choice for artists, musicians, and other creatives. They provide the tools that many of us, both hobbyists and professionals alike, use to make media, and it would seem like the perfect fit for the company to also provide a means for us to help sustain our work.

Mac fans across the world are eagerly awaiting Steve Jobs keynote at Mac World with bingo cards in hand, but despite all the rumors of the “MacBook Air” and the iTunes video rental store, there is one feature that I wish Steve would announce but that I know will not materialize anytime soon. What I’d like to see from Apple in 2008 is an iTunes marketplace, a place where independent media creators can set their own price for their work and share the profits with Apple.

For years now, I’ve envisioned a sort of eBay for digital assets. I spent several years trying to parlay the resources needed to build something similar, but I became increasingly frustrated, and eventually put my plans for the Rise Up Network aside; once YouTube became a pop-culture fixture it became even more difficult to convince people that such an endeavor would be viable.

It’s highly unlikely that this morning’s keynote will introduce such a marketplace, but perhaps another company will manage to take the lead and announce their own.

Back in January, at the Web Video Summit, I listened to Douglas Gayeton explain how Apple was unwilling to market his evocative video series, My Second Life - the video diaries of Molotov Alva; it just didn’t fit into Apple’s business structure. Fortunately for Gayeton, HBO purchased the project and it may still eventually find its way into the iTunes store. Unfortunately for all of us, the first episode has been removed from the web, and the only copy that remains online has been augmented with subtitles.

Naysayers would argue that the demand for such a service simply doesn’t exist, and I’m sure many analysts would agree. After all, I like watching a dog on a skateboard just as much as the next guy, but I’m not about to drop $1.99 to see it. At the same time, there are hundreds of professional-quality web series out there, and with the writer’s strike beginning to have an effect, more and more people are turning to the web for video. A major player like Apple would possibly have the best chance of amassing the traffic necessary to be successful.

Yes, some independent artists have been able to sell their music in the iTunes store, but there is no means to sell video podcasts or other similar materials through Apple.

PHP
This patch affects users of Mac OS X v10.5.2, Mac OS X Server v10.5.2. The update addresses a vulnerabilities in CVE-2007-1659, CVE-2007-1660, CVE-2007-1661, CVE-2007-1662, CVE-2007-4766, CVE-2007-4767, CVE-2007-4768, CVE-2007-4887. Apple says ” PHP is updated to version 5.2.5 to address multiple vulnerabilities, the most serious of which may lead to arbitrary code execution.”

Also on Tuesday, Apple released version 3.1 of its Safari browser for both Mac and Windows users. The release includes new features as well as security fixes, most of which address cross-site scripting flaws.

mDNSResponder
This patch affects users of Mac OS X v10.5.2, Mac OS X Server v10.5.2. The update addresses a vulnerability in CVE-2008-0989. Apple says “a format string issue exists in mDNSResponderHelper. By setting the local hostname to a maliciously crafted string, a local user could cause a denial of service or arbitrary code execution with the privileges of mDNSResponderHelper. This update addresses the issue by using a static format string. This issue does not affect systems prior to Mac OS X v10.5.”

Image Raw
This patch affects users of Mac OS X v10.5.2, Mac OS X Server v10.5.2. The update addresses the vulnerability in CVE-2008-0987. Apple says “a stack based buffer overflow exists in the handling of Adobe Digital Negative (DNG) image files. By enticing a user to open a maliciously crafted image file, an attacker may cause an unexpected application termination or arbitrary code execution. This update addresses the issue through improved validation of DNG image files. This issue does not affect systems prior to Mac OS X v10.5.” Apple credits Clint Ruoho of Laconic Security for reporting this vulnerability.

Application Firewall (German)
This patch affects users of Mac OS X v10.4.11, Mac OS X v10.5.2. The update addresses a vulnerability in CVE-2008-0046. Apple says ” the “Set access for specific services and applications”
radio button of the Application Firewall preference pane was translated into German as “Zugriff auf bestimmte Dienste und Programme festlegen”, which is “Set access to specific services and applications”. This might lead a user to believe that the listed services were the only ones that would be permitted to accept incoming connections. This update addresses the issue by changing the German text to semantically match the English text. This issue does not affect systems prior to Mac OS X v10.5.

CUPS
This patch affects users of Mac OS X v10.5.2, Mac OS X Server v10.5.2. The update addresses a vulnerability in CVE-2008-0053, and CVE-2008-0882.. Apple says “multiple input validation issues exist in CUPS, the most serious of which may lead to arbitrary code execution with system privileges. This update addresses the issues by updating to CUPS 1.3.6. These issues do not affect systems prior to Mac OS X v10.5..”

Emacs

This patch affects users of Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5.2, Mac OS X Server v10.5.2. The update addresses a format string vulnerability in CVE-2007-6109. Apple says “A stack buffer overflow exists in Emacs’ format function. By exploiting vulnerable Emacs Lisp which allows an attacker to provide a format string containing a large precision value, an attacker may cause an unexpected application termination or possibly arbitrary code execution.”

Foundation–5
This patch affects users of Mac OS X v10.4.11 and Mac OS X Server v10.4.11. The update addresses a race condition vulnerability in CVE-2008-0059. Apple says ” A race condition exists in NSXML. By enticing a user to process an XML file in an application which uses NSXML, an attacker may cause an unexpected application termination or arbitrary code execution. This update addresses the issue through improvements to the error handling logic of NSXML. This issue does not affect systems running Mac OS X v10.5 or later..”

OpenSSH
This patch affects users of Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5.2, and Mac OS X Server v10.5.2. The update addresses a vulnerability in CVE-2007-4752. Apple says “OpenSSH forwards a trusted X11 cookie when it cannot create an untrusted one. This may allow a remote attacker to gain elevated privileges. This update addresses the issue by updating OpenSSH to version 4.7.”

AppKit–Multiple integer overflow
This patch affects users of Mac OS X v10.4.11, Mac OS X Server v10.4.11. The update addresses a Multiple integer overflow vulnerability in CVE-2008-0057. Apple says ” By causing a maliciously formatted serialized property list to be parsed, an attacker could trigger a heap-based buffer overflow which may lead to arbitrary code execution. This update addresses the issue by performing additional validation of serialized input. This issue does not affect systems running Mac OS X v10.5 or later.

Emacs
This patch affects users of Mac OS X v10.4.11 and Mac OS X v10.5.2. The update addresses a safe mode checks vulnerability in CVE-2007-5795. Apple says “a logic error in Emacs’ hack-local-variable function allows any local variable to be set, even if ‘enable-local-variables’ is set to :safe. By enticing a user to load a file containing a maliciously crafted local variables declaration, a local user may cause an unauthorized modification of Emacs Lisp variables leading to arbitrary code execution. This issue has been fixed through improved :safe mode checks.

Printing
This patch affects users of Mac OS X v10.5.2, Mac OS X Server v10.5.2. The update addresses a vulnerability in CVE-2008-0995. Apple says ” Printing to a PDF file and setting an ‘open’ password uses 40-bit RC4. This encryption algorithm may be broken with significant but readily available computing power. A person with access to the file may apply a brute-force technique to view it. This update enhances the encryption to 128-bit RC4. This issue does not affect systems prior to Mac OS X v10.5.”

libc
This patch only affects users of Mac OS X v10.4.11, Mac OS X Server v10.4.11. The update addresses a vulnerability in CVE-2008-0988. A remote attacker may be able to cause a certificate to appear trusted. According to Apple “An off by one issue exists in Libsystem’s strnstr(3) implementation. Applications that use the strnstr API can read one byte beyond the limit specified by the user, which may lead to an unexpected application termination. This update addresses the issue through improved bounds checking. This issue does not affect systems running Mac OS X v10.5 or later.” Apple credits Mike Ash of Rogue Amoeba Software for reporting this vulnerability.

Kerberos

This patch affects users of Mac OS X v10.4.11, Mac OS X v10.5.2. The update addresses the vulnerabilities in CVE-2007-5901, CVE-2007-5971, CVE-2008-0062, and CVE-2008-0063. Apple says ” Multiple memory corruption issues exist in MIT Kerberos 5, which may lead to an unexpected application termination or arbitrary code execution with system privileges. CVE-2008-0063 do not affect systems running Mac OS X v10.5 or later. CVE-2007-5901 does not affect systems prior to Mac OS X v10.4.”

System Configuration
This patch affects users of Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5.2, Mac OS X Server v10.5.2. The update addresses the vulnerability in CVE-2008-0998. Apple says ” The privileged tool NetCfgTool uses distributed objects to communicate with untrusted client programs on the local machine.
By sending a maliciously crafted message, a local user can bypass the authorization step and may cause arbitrary code execution with the privileges of the privileged program.

Help Viewer
This patch affects users of Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5.2, and Mac OS X Server v10.5.2. The update addresses the vulnerability in CVE-2008-0060. Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution.
Apple says “A malicious help:topic_list URL may insert arbitrary HTML or JavaScript into the generated topic list page, which may redirect to a Help Viewer help:runscript link that runs Applescript.” Apple credits Brian Mastenbrook for reporting this vulnerability.

CUPS
This patch affects users of Mac OS X v10.4.11, Mac OS X Server v10.4.11. The update addresses a vulnerability in CVE-2008-0596. Apple says “by sending a large number of requests to add and remove shared printers, an attacker may be able to cause a denial of service. This issue can not result in arbitrary code execution. This update addresses the issue through improved memory management. This issue does not affect systems prior to Mac OS X v10.5.”

AFP Server–Cross-realm authentication
This patch affects users of Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5.2, Mac OS X Server v10.5.2. The update addresses a cross-realm authentication vulnerability in CVE-2008-0045. Apple says: “An implementation issue exists in AFP Server’s check of Kerberos principal realm names. This may allow unauthorized connections to the server, when cross-realm authentication with AFP Server is used. This update addresses the issue by through improved checks of Kerberos principal realm names. This issue does not affect systems running Mac OS X v10.5 or later.” Apple also says that this issue has been addressed within Mac OS X v10.5 or later. Apple credits Ragnar Sundblad of KTH - Royal Institute of Technology, Stockholm, Sweden for reporting this issue.

CFNetwork
This patch affects users of Mac OS X v10.4.11, Mac OS X v10.5.2 and addresses the frame navigation policy vulnerability in CVE-2008-0050. Apple says “a malicious HTTPS proxy server may return arbitrary data to CFNetwork in a 502 Bad Gateway error. A malicious proxy server could use this to spoof secure websites. This update addresses the issue by returning an error on any proxy error, instead of returning the proxy-supplied data. This issue is already addressed in systems running Mac OS X v10.5.2.”

Foundation–3
This patch affects users of Mac OS X v10.4.11, Mac OS X v10.5.2 and addresses the NSFileManager API vulnerability in CVE-2008-0056. Apple says “a long pathname with an unexpected structure can expose a stack buffer overflow vulnerability in NSFileManager. Presenting a specially crafted path to a program using NSFileManager could lead to the execution of arbitrary code. This update addresses the issue by ensuring a properly sized destination buffer. This issue does not affect systems running Mac OS X v10.5 or later.”

AFP Client–afp:// URL
This patch only affects users of Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5.2, Mac OS X Server v10.5.2. The update addresses an afp:// URL vulnerability in CVE-2007-4680. A remote attacker may be able to cause a certificate to appear trusted. According to Apple, “multiple stack buffer overflow issues exist in AFP Client’s handling of afp:// URLs. By enticing a user to connect to a malicious AFP Server, an attacker may cause an unexpected application termination or arbitrary code execution.”

Foundation–1
This patch affects users of Mac OS X v10.4.11 and Mac OS X Server v10.4.11. The addresses a NSSelectorFromString API vulnerability in CVE-2008-0054. Apple says “an input validation issue exists in the NSSelectorFromString API. Passing it a malformed selector name may result in the return of an unexpected selector, which could lead to an unexpected application termination or arbitrary code execution. This update addresses the issue by performing additional validation on the selector name. This issue does not affect systems running Mac OS X v10.5 or later.”

Foundation–2
This patch affects users of Mac OS X v10.4.11 and Mac OS X Server v10.4.11. The update addresses the NSFileManager vulnerability in CVE-2008-0055. Apple says “when performing a recursive file copying operation, NSFileManager creates directories as world-writable, and only later restricts the permissions. This creates a race condition during which a local user can manipulate the directory and interfere in subsequent operations. This may lead to a privilege escalation to that of the application using the API. This update addresses the issue by creating directories with restrictive permissions. This issue does not affect systems running Mac OS X v10.5 or later.”

ClamAV–1
This patch affects users of Mac OS X Server v10.5.2. The update addresses vulnerabilities in CVE-2007-3725, CVE-2007-4510, CVE-2007-4560, CVE-2007-5759, CVE-2007-6335, CVE-2007-6336, CVE-2007-6337, CVE-2008-0318,
CVE-2008-0728. Apple says “multiple vulnerabilities exist in ClamAV 0.90.3 provided with Mac OS X Server v10.5 systems, the most serious of which may lead to arbitrary code execution. This update addresses the issue by updating to ClamAV 0.92.1.”

To get the update, go to the Software Update pane in System Preferences, or Apple’s Software Downloads Web site. The update “is recommended for all users and improves the security of Mac OS X,” according to the Apple Downloads page.

PHP
This patch affects users of Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X Server v10.5.2. The addresses a vulnerability in CVE-2007-3378 and CVE-2007-3799. Apple says “PHP is updated to version 4.4.8 to address multiple vulnerabilities, the most serious of which may lead to arbitrary code execution.”

curl

This patch only affects users of Mac OS X v10.4.11, Mac OS X Server v10.4.11 and addresses a vulnerability in CVE-2005-4077. Apple says ” A one byte buffer overflow exists in curl 7.13.1. By enticing a user to run curl with a maliciously crafted URL, an attacker may cause an unexpected application termination or arbitrary code execution. This update addresses the issue by updating curl to version 7.16.3. Crash Reporter was updated to match the curl changes. This issue does not affect systems running Mac OS X v10.5 or later.”

AppKit–network printer
This patch affects users of Mac OS X v10.4.11, Mac OS X Server v10.4.11. The addresses a vulnerability in CVE-2008-0997. Apple says “by enticing a user to query a network printer, an attacker may cause an unexpected application termination or arbitrary code execution. This update addresses the issue through improved handling of PPD files. This issue does not affect systems running Mac OS X v10.5 or later.”

notifyd

This patch only affects users of Mac OS X v10.4.11, Mac OS X Server v10.4.11 and addresses a vulnerability in CVE-2008-0990. Apple says ” notifyd accepts Mach port death notifications without verifying that they come from the kernel. If a local user sends fake Mach port death notifications to notifyd, applications that use the
notify(3) API to register for notifications may never receive the notifications. This update addresses the issue by only accepting Mach port death notifications from the kernel. This issue does not affect systems running Mac OS X v10.5 or later.”

Known as APPLE-SA-2008-03-18 Security Update 2008-002, it contains more than 40 specific fixes for versions of
Mac OS X. The most significant updates include Apache, ClamAV, Emacs, OpenSSH, PHP, and X11. There is no trend or theme here. The most serious vulnerabilities could lead to someone gaining remote access to a user’s computer, while others may simply cause an application or service to crash. Other components mentioned in this update include AppKit, Core Foundation, Core Services, curl, CUPs, Help Viewer, ImageRaw, mDNSResponder, Podcast Producer, Preview, Printing and System Configuration.

X11

This patch affects users of Mac OS X v10.4.11 and Mac OS X Server v10.4.11 and addresses the vulnerabilities in CVE-2007-4568 and CVE-2007-4990. Apple says “multiple vulnerabilities exist in X11 X Font Server
(XFS) 1.0.4, the most serious of which may lead to arbitrary code execution. This update addresses the issue by updating to version 1.0.5.”

file
This patch affects users of Mac OS X v10.4.11, Mac OS X Server v10.4.11. The update addresses a vulnerability in CVE-2008-1004. Affected users may find that requesting to unblock a website leads to information disclosure. Apple says “an integer overflow vulnerability exists in the file command line tool, which may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue through improved bounds checking. This issue does not affect systems running Mac OS X v10.5 or later.” Apple credits Colin Percival of the FreeBSD for reporting this issue.

Printing
This patch affects users of Mac OS X v10.5.2 and Mac OS X Server v10.5.2. The update addresses a vulnerability in CVE-2008-0996. Apple says ” An information disclosure issue exists in the handling of authenticated print queues. When starting a job on an authenticated print queue, the credentials used for authentication may be saved to disk. This update addresses the issue by removing user credentials from printing presets before saving them to disk. This issue does not affect systems prior to Mac OS X v10.5.”

UDF
This patch affects users of Mac OS X v10.5.2 and Mac OS X Server v10.5.2. The update addresses the vulnerability in CVE-2008-0999. Apple says ” A null pointer dereference issue exists in the handling of Universal Disc Format (UDF) file systems. By enticing a user to open a maliciously crafted disk image, an attacker may cause an unexpected system shutdown. This update addresses the issue through improved validation of UDF file systems. This issue does not affect systems prior to Mac OS X v10.5.” Apple credits to Paul Wagland of Redwood Software, and Wayne Linder of Iomega for reporting this vulnerability.

X11
This patch affects users of Mac OS X v10.5.2, Mac OS X Server v10.5.2 and addresses the vulnerability in CVE-2008-1000. Apple says ” A path traversal issue exists in the Mac OS X v10.5 Server Wiki Server. Attackers with access to edit wiki content may upload files that leverage this issue to place content wherever the wiki server can write, which may lead to arbitrary code execution with the privileges of the wiki server. This update addresses the issue through improved file name handling. This issue does not affect systems prior to Mac OS X v10.5. Apple credits to Rodrigo Carvalho, from the Core Security Consulting Services (CSC) team of CORE Security Technologies for reporting this vulnerability.

CoreServices
This patch affects users of Mac OS X v10.4.11, Mac OS X Server v10.4.11. The update addresses the vulnerability in CVE-2008-0052. Apple says: “Files with names ending in “.ief” can be automatically opened in AppleWorks if
Safari’s “Open ‘Safe’ files” preference is enabled. This is not the intended behavior and could lead to security policy violations. This update addresses the issue by removing “.ief”
from the list of safe file types. This issue only affects systems prior to Mac OS X v10.5 with AppleWorks installed.”

AppKit–NSApplication
This patch affects users of Mac OS X v10.4.11, Mac OS X Server v10.4.11. The update addresses a NSApplication vulnerability in CVE-2008-0049. Apple says “By sending maliciously crafted messages to privileged applications in the same bootstrap namespace, a local user may cause arbitrary code execution with the privileges of the target application. This update addresses the issue by removing the mach port in question and using another method to synchronize. This issue does not affect systems running Mac OS X v10.5 or later.”

Foundation–4
This patch affects users of Mac OS X v10.4.11 and Mac OS X v10.5.2. The update addresses a vulnerability in CVE-2008-0058. Apple says “a thread race condition exists in NSURLConnection’s cache management, which can cause a deallocated object to receive messages. Triggering this issue may lead to a denial of service, or arbitrary code execution with the privileges of Safari or another program using NSURLConnection.” Apple credits Daniel Jalkut of Red Sweater Software for reporting this vulnerability.

X11
This patch affects users of Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5.2, and Mac OS X Server v10.5.2 and addresses the vulnerability in CVE-2007-5958, CVE-2008-0006, CVE-2007-6427, CVE-2007-6428, and CVE-2007-6429. Apple says ” Numerous vulnerabilities in the X11 server allow execution of arbitrary code with the privileges of the user running the X11 server if the attacker can authenticate to the X11 server.
This is a security vulnerability only if the X11 server is configured to not require authentication, which Apple does not recommend.”

Apache–2
This patch only affects users of Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X Server v10.5.2 and addresses various Apache 2.2.6 vulnerabilities in CVE-2007-5000, CVE-2007-6203, CVE-2007-6388, CVE-2007-6421,
CVE-2008-0005. Apple says “Apache is updated to version 2.2.8 to address several vulnerabilities, the most serious of which may lead to cross-site scripting.”

Preview

This patch affects users of Mac OS X v10.5.2 and Mac OS X Server v10.5.2 and addresses the vulnerability in CVE-2008-0994. Apple says “when Preview saves a PDF file with encryption, it uses 40-bit RC4. This encryption algorithm may be broken with significant but readily available computing power. A person with access to the file may apply a brute-force technique to view it. This update enhances the encryption to 128-bit RC4.”

AppKit–NSDocument API
This patch affects users of Mac OS X v10.4.11, Mac OS X Server v10.4.11. The update addresses a NSDocument API vulnerability in CVE-2008-0048. Apple says ” A stack buffer overflow exists in the NSDocument API’s handling of file names. On most file systems, this issue is not exploitable. This update addresses the issue through improved bounds checking. This issue does not affect systems running Mac OS X v10.5 or later.”

ClamAV–2
This patch affects users of Mac OS X Server v10.4.11. The update addresses vulnerability in CVE-2006-6481, CVE-2007-1745, CVE-2007-1997, CVE-2007-3725, CVE-2007-4510, CVE-2007-4560, CVE-2007-0897, CVE-2007-0898, CVE-2008-0318, CVE-2008-0728. Apple says “multiple vulnerabilities exist in ClamAV 0.88.5 provided with Mac OS X Server v10.4.11, the most serious of which may lead to arbitrary code execution. This update addresses the issue by updating to ClamAV 0.92.1.”

Podcast Producer

This patch affects users of Mac OS X v10.5.2, Mac OS X Server v10.5.2. The update addresses the vulnerability in CVE-2008-0993. Apple says “the Podcast Capture application provides passwords to a subtask through the arguments, potentially exposing the passwords to other local users. This update corrects the issue by providing passwords to the subtask through a pipe. This issue does not affect systems prior to Mac OS X v10.5.” Apple credits Maximilian Reiss of Chair for Applied Software Engineering, TUM for reporting this issue.

X11
This patch affects users of Mac OS X v10.5.2 and Mac OS X Server v10.5.2 and addresses the vulnerability in CVE-2006-3334, CVE-2006-5793, CVE-2007-2445, CVE-2007-5266, CVE-2007-5267, CVE-2007-5268, and CVE-2007-5269. Apple says ” The PNG reference library (libpng) is updated to version 1.2.24 tp address several vulnerabilities, the most serious of which may lead to a remote denial of service or arbitrary code execution.

Apache–1
This patch affects users of Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X Server v10.5.2. The update addresses Apache 1.3.33 and 1.3.39 vulnerabilities in CVE-2005-3352, CVE-2006-3747, CVE-2007-3847, CVE-2007-5000, CVE-2007-6388.. Apple says “Apache is updated to version 1.3.41 to address several vulnerabilities, the most serious of which may lead to arbitrary code execution. Further information is available via the Apache web site at http://httpd.apache.org For Mac OS X v10.5, Apache version 1.3.x is only shipped on Server configurations. mod_ssl is also updated from version 2.8.24 to 2.8.31 to match the upgraded Apache; no security fixes are included in the update.”

Apple on Tuesday released its second security update of the year–and it’s a big one.

CUPS
This patch only affects users of Mac OS X v10.5.2, Mac OS X Server v10.5.2. The update addresses a vulnerability in CVE-2008-0047. According to Apple “a heap buffer overflow exists in the CUPS interface’s processing of search expressions. If printer sharing is enabled, a remote attacker may be able to cause an unexpected application termination or arbitrary code execution with system privileges. If printer sharing is not enabled, a local user may be able to gain system privileges. This update addresses the issue by performing additional bounds checking. This issue does not affect systems prior to Mac OS X v10.5.” Apple credits the regenrecht working with the VeriSign iDefense VCP for reporting this vulnerability.

pax archive utility
This patch affects users of Mac OS X v10.5.2 and Mac OS X Server v10.5.2. The update addresses a vulnerability in CVE-2008-0992. Apple says “the pax command line tool does not check a length in its input before using it as an array index, which may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue by checking the index. This issue does not affect systems prior to Mac OS X v10.5.”