I guess the iPhone 3.0 update and Safari 4.0.1 weren't enough for Apple. Along with the just released update to Safari, Apple has just tossed in one more Software Update:

Bluetooth Firmware Update
"This update provides bug fixes and better compatibility with the Apple Wireless Mighty Mouse and Apple Wireless Keyboard. It installs on all Macintosh systems with Bluetooth based on the Broadcom chipset."

This update is only applicable to certain hardware configurations (as noted above), so if you don't see it, you don't need it. After running, the Bluetooth Firmware update will provide you with an installation screen and require a reboot when it's done.

I wonder if Apple will throw us any other new surprises today.

It's been a long wait. Fire up Software Update and you should see Java for Mac OS X 10.5 (or 10.4) update 4. This update closes a vulnerability first discussed in August of last year; it was patched by Sun and most other JVM developers months ago.

Apple's sluggishness on fixing this security issue could have allowed attackers to run arbitrary applications or processes on your machine if you visited a webpage hosting a malicious Java applet. The vulnerability was pointed out in graphic fashion by security researcher Landon Fuller.

Fuller took the exploit code that was circulating in the wild and built a proof of concept page that would run an innocuous program (the command-line 'say' utility) from a rigged Java applet; after the ensuing publicity, less than a month later, we have a patch.

Once you've updated, if you took the precaution of disabling Java in your browser settings, you can feel free to go ahead and turn it back on... although, if you haven't missed it, no need to change anything.

Thanks to everyone who sent this in.

[via Glenn Fleishman / TidBITS]

You know, it's fine to make the argument that "Macs are safer than Windows-based PCs," because in real-world usage, this is generally true. Nothing does more to undermine that argument, however, like a five-month old unpatched Java vulnerability.

As Landon Fuller has pointed out, a potentially nasty Java exploit remains unpatched in Mac OS X, including last week's OS X 10.5.7 update. Essentially, this exploit can allow malicious code to run outside of the confines of Java, and run arbitrary commands with whatever user permissions the logged in user has. So just by visiting a website, you could be allowing malicious software access to running commands on your system. Not cool. Not cool at all.

Although the exploit was initially discovered and filed back in August of 2008, Sun issued its own fix addressing the exploit back in December.

So, five months, two point OS updates, one Java update in February and stil, Apple hasn't patched the exploit on their end.

Can I just say, "WTF?" I mean, seriously, get on the ball Apple. You only have $20 billion in cash, maybe investing in a bunch of full-time security patchers for your operating system would be a worthwhile investment!

Julien Tinnes has some excellent commentary on the exploit here. As Landon says on his blog, all users are advised to disable Java applets in their browsers and disable "open safe files after downloading" in Safari. You should also consider using a SSB (site-specific browser) for any Java-crucial web work (see below).

Of course, being forced to disable Java applets just so one can ensure safety kind of puts Mac users who, I don't know, use a web-based SSL VPN client to connect to work systems or e-mail in a bind.

And, let the flogging from the Apple-haters commence.

Thanks Vivek!

Postscript: Brian Mastenbrook, who discovered the Safari RSS vulnerability has posted a blog entry detailing how he discovered the problem, why he issued a warning and how long it ultimately took Apple to respond (6 months!). It's good reading and a good discourse on how our favorite company handles security threats and how they might want to improve.

XMind -- a powerful, Java-based mind mapping and charting application -- has been open-sourced (it's free!) with version 3.0. While it's not my absolute top pick for mind mapping, it ranks up there. I did have a license for the paid version, and I can tell you that it packs plenty of punch. It has all of the extra features I like: boundaries, relationships, summaries, notes, markers, outline view, floating topics and more, as well as intuitive keyboard navigation for rapid-fire brainstorming.

One of my favorite features was the drilldown; pressing F6 focuses in on the current topic, displaying only it and its descendants. Shift-F6 takes you back up. It's similar to MindManager's "Focus" feature, but faster (and more limited in scope). And for those who want (or need) to, just set all of the shapes to underline, turn on multiple branch colors and tapered lines and presto, you've got an honest-to-goodness Tony Buzan-style mind map ... or as close as you'll get without buying Buzan's software (which, despite it being relatively expensive and lacking in system integration, I am regularly tempted to do) or breaking out the colored pencils.

You can also create Org and Fishbone Charts with XMind. It imports FreeMind and MindManager maps as well as Marker Packages, and can export to HTML, image, Marker Package or Text. The HTML export is ... okay. FreeMind actually creates more useful HTML pages, but it works. Overall, it's great stuff, and it's exciting to see it open sourced.

So, how did software that once cost $299 end up being free? It appears to be a change in the business plan, with a subscription model for "XMind Pro" replacing retail sales. I'm a little sketchy on the details, but the Pro version seems to include online collaboration for XMind users, Gantt charts and a Presentation mode (among other features), with a range of subscription prices: $6USD for 1 user/1 month, $400USD for 10 users/1 year, and everything in the middle. It's not necessary to have a subscription, however, to use XMind. Just download a copy (or even the source code) and let the brainstorming begin. Oh, and tell your PC friends, too; like many Java apps, XMind also comes in Windows and Linux flavors.

Man, for all of the great games on the iPhone already (I've been really enjoying Lexitron lately), what we really need is a good old-fashioned, both complex and charming RPG. Arcade games are fun and all, and they just keep getting better, but what the iPhone really needs is a sink-your-teeth-in fantasy world, complete with dragons to slay, swords and magic to wield, and XP to earn.

Perilar might just be that. It's based on the old Ultima-style turn-based RPGs, and the tiled graphics aren't much to look at these days, but it sounds like good (Net)hacking, slashing, and exploring fun. We're still not talking about the peak of the iPhone's potential as an RPG machine, but Perilar looks like a good first step.

And the best part is that there's a Java version out right now, so you can try before you smack down the $4.99 price. I'm definitely planning on picking it up. Until we get a great original, and solidly addictive fantasy RPG on the iPhone, Perilar seems like it'll help scratch that itch.

[via Touch Arcade]

Apple has just released Java Update 2 for Mac OS X. According to Apple, this update "delivers improved reliability and compatibility for Java SE 6, J2SE 5.0 and J2SE 1.4.2 on Mac OS X 10.5.4 and later."

You can find more information about this update by visiting the release notes. You can download this 136.4MB update by opening Software Update (Apple menu > Software Update) or by downloading the installer package from Apple's support website.

Sun Microsystems is known for many things, but it is probably best known for Java. The promise of Java is that programmers can write an application once and run it on any machine, or device, that has a Java Virtual Machine (a virtual environment that runs on a computer which includes the Java runtime, so that the Java code can run).

That's the promise of Java, sadly, the reality isn't always the same. Java Virtual Machines on different platforms often require special code (which kind of defeats the purpose) and most damning of all (especially on the Mac) is that Java has its own library of UI elements. Unless a Java programmer goes out of their way to make sure their app looks like a native app, it often has an unmistakable 'Java look' to it.

Sun now wants you to have all that Java fun on the iPhone. Shortly after the launch of the iPhone SDK, Sun started looking into the possibility of making a Java VM for the iPhone. After some investigating, they are sure that Java ME (that's the version of Java optimized for mobile devices) on the iPhone is possible and Sun wants to bring it to you. I'm sure there are many Java developers out there are very happy to hear this news.

Thanks, TJ.

At 15¢ per gig, Amazon S3 (Simple Storage Solution) is rapidly becoming an online storage standard, with companies like 37Signals and SmugMug storing information adding up to terabytes. On a slightly smaller scale, I transfer a few gigs on S3 every month, both to and from my Mac and server-to-server, and my bill is usually under $10. I'm always on the lookout for new ways to take advantage of this inexpensive yet massive storage system.

Several Mac applications have already added S3 support, including Transmit, Interarchy and Forklift. That's a cool step for such applications because it integrates your various file transferring tools (FTP, SFTP, S3, etc.) into one app, which I would love... if it worked reliably. But the only application I've consistently had luck with – as in not constantly crashing – is JungleDisk, which uses a webDAV system for filestorage that allows an S3 bucket (a subsection, or folder, in your S3 account) to be mounted as a local filesystem, but makes the filesystem on the web inaccessible to other programs. And you can't make files public outside of your local network. I've generally resorted to S3Fox - a very capable Firefox addon - and a command-line ruby script called s3sync.

However, I also discovered the JetS3t Java toolkit today. In addition to the toolkit, the JetS3t download also includes an application suite. Of primary interest to me was the Cockpit application, which provides an S3 browser with upload and download capabilities, as well as ACL control. There are also apps for setting up gateways and providing a secure, distributable client.

I'd like to begin by saying that I loathe Java applications on a Mac, not least because they're ugly. But Cockpit is one of the fastest S3 browsers I've ever used. Looking past the fact that you have to launch it from the command line (yes, you can fix that), it has no integration with other Mac apps, and its underwhelming aesthetics, I have to admit that it really does get the job done. It even has little extras, like the ability to generate Torrent URLs or a temporary URL that which allows people to download a file for a specified period of time. It probably won't replace my current tools, but it was worth a trip to the dark (Java) side. I hope it inspires some Cocoa browsers that are faster, more flexible and more stable than what we've got.

What's next for the iPhone? TUAW hasn't a clue, but we've got ideas. Kooky ideas, like Chris Pirillo buys an iPhone, loves it, and rants about his errant ways and logical fallacies. We've got some pretty obvious ideas too, like someday iPhone will probably support Java-- maybe. More likely than the Pirillo scenario anyway.

But if any of these or 22 other things come to pass, TUAW has you covered. We've created the iPhone "What's Next" bingo card for your long-term bingo playing needs. It may take years before Flash is on the iPhone, or the Pope gets one, but when they do you'll be ready with a penny or something to mark it down. Enjoy!

thanks to David Chartier and Dave Caolo for your help!

The Beeb is reporting that hundreds of episodes of "programmes" will be released for download via the Zudeo service, based on P2P client Azureus. The videos will be available in HD and will be DRM'ed, exact rights and pricing to be announced. This is certainly big news for fans of Brit TV who don't have... you know... cable.

Seriously, though, HD via P2P is a big deal, especially from such an august content horde as the BBC. The presence of a Mac client (Azureus is Java-based) is also good news, although it remains to be seen if the actual videos will play for us. Will P2P challenge the video dominance of the iTunes Music Store?

[via Digg]

For your downloading pleasure, Apple presents Security Update 2006-008 (PPC and UB). Both weigh in at under 2MB and require Mac OS X 10.4.8 (client or server). You can grab this patch from Apple's downloads page or from Software Update.

According to Apple, this patch "improves the security of Quartz Composer and QuickTime for Java." Specifically, it patches a vulnerability that may lead to "information disclosure" when visiting a malicious website (aka phishing site). Complete details on the flaw can be found in Apple's Kbase.

Mike and I were curious about why there's both a PPC and a UB version. Seems redundant since UB means it works on both PPC and Intel. Turns out it's not truly "universal." As Mike noticed first, the System Requirements state that it's Universal for 10.4.8 Server, but 10.48 Client is Intel-only. Hence the standalone PPC-only download (which can be used on client or server.) Would still be nice to streamline this a bit more.

Faithful guinea pigs, please report your experience with this update below!

NeoOffice, everyone's favorite implementation of OpenOffice in java, has released a v.2 beta of their suite with a new and improved Aqua-friendly interface. This new version is based on a recent version of OpenOffice (2.0.3), which includes apps for word processing, databases, spreadsheets, drawing and presenting. NeoOffice, however, offers advantages over running OpenOffice on Mac OS X because it doesn't need the X11 Unix environment to run. Moreover, NeoOffice can integrate with the Finder and Mail, which was probably one of the winning attributes that warranted the 'Aqua' addition to the name.

The Early Access Program is, in my opinion, a really cool and clever way to bring in some money for the project's hard work (after all, this entire project is made up of volunteers, and somebody's gotta pay the bills). From now until the 14th of August, users can download a copy of 2.0 Aqua for a mere $25. From August 15th through 29th, the price drops to $10. After that, it goes back to free like it's always been. NeoOffice is also selling Early Access subscriptions for $60, which will offer (what else) early access privileges throughout the course of NeoOffice 2.x releases.

I personally haven't tried a copy yet (I already - unfortunately - sunk money into Office 2004), but I'm willing to bet with some of the java benchmarks we've seen on Intel Macs, this suite will run pretty well if you have Intel inside. This sounds like a good a case as any to grab a copy early and help support a great project.

[via MacNN]

Hot on the heels of Firefox releasing a 1.5.0.3 security update, Camino has been bumped to 1.0.1 with mostly security and bug fixes which include:

• Fixed several critical security issues, including those fixed in version 1.8.0.3 of the Mozilla Gecko rendering engine.
• Upgraded the bundled Java Embedding Plugin (http://javaplugin.sf.net) to version 0.9.5 d
• Improved ad-blocking, especially of German ads
• Enabled the opening of local SVG files
• Fixed an issue where Camino on Intel-based Macs was unable to read Keychain entries stored by Camino on PowerPC-based Macs

As always, you can snag a copy from CaminoBrowser.org.

Available in a Software Update near you (if you're using Tiger) is Java 2 Standard Edition (J2SE) 5.0 Release 4, which "improves reliability and addresses issues found in earlier releases of J2SE 5.0 for Mac OS X." This update also brings compatibility with Sun's Java 2 Platform Standard Edition, version 5.0 (1.5.0_06).

See this Apple Support document for more information.

[via Macsimum News]