Why so glum, chum? 'Cause that look of dejection sails far beyond the city limits of Monday Bluesville and nestles somewhere east of the Thursday Dumps. We're going to hazard a guess and assume that this has something to do with the Help Viewer security hole-- specifically, the fact that Apple patched it Friday night. You installed the update and verified that Help Viewer no longer launches local scripts when pages containing demo exploits are loaded, so you figure that Apple has indeed plugged what is arguably Mac OS X's first ever Gaping Chasm o' Vulnerability-- and its departure has, understandably, left some viewers like yourself feeling vaguely regretful and empty.

While literally no one reported any damage resulting from the flaw and its negative impact on the world at large paled in comparison to even the mildest Windows worm, for a brief, shining moment, we Mac users stood shoulder to shoulder with the Wintel crowd as we contended with a security flaw of practically Microsoftian proportions... and now that moment has seemingly passed. Of course you're grieving a little. Well, cheer up, Bucko; we aren't out of the woods yet. Unsanity, the maker of the freeware Paranoid Android software that was written to protect against the Help Viewer exploit, has posted a white paper explaining that clever malware authors can avoid using the "help:" protocol entirely by registering their own custom protocols. There's a linked demo exploit which still managed to write a file into our home directory even after we'd applied the Security Update and unchecked "open 'safe' files after downloading." So Apple's got a little more work to do, apparently.

Or possibly even a lot-- because meanwhile, faithful viewer Larry Vinson points out another glaring vulnerability in Mac OS X described over at Daring Fireball-- and Security Update 2004-05-24 reportedly does nothing to fix it, either. Buckle up for another URI-related vulnerability, just like the "help:" one, although with rather less potential for creative evil. This time the problem rests with the "telnet:" scheme, which, by default, is mapped to Mac OS X's Terminal application. It turns out that Mac OS X will pass along anything after the standard two slashes as a command line argument to the UNIX "telnet" command, which sounds relatively harmless until you hear that one possible argument is the "-n" flag, which specifies that telnet should log all activity for the session into the filename specified. That wouldn't be a problem, except that if a file with the same name already exists in the given location, telnet will overwrite said file with its log. Without even saying "please." Which is, we're sure you'll agree, pretty rude.

The upshot is that anyone can slap together a web page that automatically launches Terminal and overwrites data that happens to sit in a known location. Sure, it won't nuke any files for which the current user lacks write permissions, so it's unlikely that this hole could be exploited in such a way as to hose your entire Mac OS X system, and we didn't have much luck specifying filenames with spaces in them (though we were probably just doing it wrong)-- but we were able to create a web page that completely annihilated all of our Stickies. Before visiting the page, we had a rainbow of about thirty happy little notes, crammed full of random info-snippets like driving directions, bank transaction numbers, and a recipe for pie crust so flaky you'd think it believed in astrology; after visiting the page, we relaunched Stickies and found ourselves staring into a single lonely yellow rectangle with a cursor blinking forlornly within. Yikes. Just yikes.

No, it's not quite as sexy as the Help Viewer exploit, which could execute arbitrary chunks of code and theoretically even be used to spread a self-propagating worm, but any security hole that allows a web page to wipe quantities of data from your hard drive still qualifies as pretty effin' nasty in our book. So as we all sit around waiting for the next Security Update, we definitely recommend that you at least disable the telnet: URI protocol until Apple issues a real fix. There are plenty of ways to go about it; we used the freeware More Internet preference pane (which everyone should have installed-- it's Internet Config for Mac OS X, dontchaknow) to map telnet: to Image Capture instead of Terminal. After all, when was the last time you came across a legitimate telnet: link, anyway?

Of course, that doesn't fix the "arbitrary custom protocol" problem illustrated in Unsanity's white paper, so maybe the best course of action is to install Paranoid Android. We haven't had a chance to put it through its paces yet, but given that its author was able to blow through Apple's Security Update like so much wet Kleenex, we have to assume he knows what he's doing. Meanwhile, smile! We're still dealing with security issues of arguably Wintellian proportions; it's almost like we're using what the IT guys refer to as "real computers"! Can newfound respect for our chosen platform be far behind?

Official reminder time, folks: it's now just five weeks until Apple's Worldwide Developers Conference, which means this is officially the beginning of the standard pre-show speculation season. As you are all no doubt aware, weeks T-minus-5 through T-minus-3 are designated a "Low Intensity Guesstimation Period," so don't sprain a lobe or anything; this is just the warmup to the heavy lifting later. Don't go too light, either, though, or you won't be prepared; we all know that Fearless Leader will be previewing Tiger for the first time, for example, so that's not even an issue. But you might want to spend the next few weeks considering that the smart money says Steve will trot out those long-awaited faster Power Macs during his dog-and-pony show.

Okay, sure, the rumor mill's been predicting imminent G5 speed bumps since late last year, but honestly, can you imagine Apple holding off any longer than the last few days of June? Seriously, if Steve tries to walk off that stage without introducing faster G5s, it's going to take more than a Reality Distortion Field to keep the crowd from acting with swift and blinding violence. And just in case you still need some factual evidence to back up the whole "G5s at WWDC" thing, consider what faithful viewer Cellar Door passed along to us: a link to the Apple Developer Connection Hardware Purchase Program, which is currently pushing low-end G5s like they're going out of style. Or, more to the point, will be.

Yes, if you're an ADC Select or Premier member and you live in the U.S. (the email also says "Europe"), you can buy a 1.6 GHz Power Mac G5 for just $1299-- that's $500 off retail, or almost 28%. Now, we're actually not at all sure how much cheaper, if any, that is from the normal developer price, but Apple is clearly trying to shovel these things out the door: the company makes a point of specifying that qualifying developers "can purchase up to five (5) Power Mac G5 1.6 GHz systems through the ADC Hardware Purchase Program, without affecting annual hardware discount purchase limits." In other words, "please take these stinkin' things off our hands, because when we ship a dual 2.0 GHz unit as its entry-level replacement next month, they'll be worth about as much as a can of pudding with the pull-ring broken off." Meanwhile, the offer ends on June 26th, just two days before the Stevenote; if you're drunk enough on a Monday to think that's just a coincidence, you may possibly have a problem.

Of course, we're just guessing about that whole "dual 2.0 GHz entry-level" thing, but that's what the whole "Low Intensity Guesstimation Period" is all about: a blatant disregard for anything even remotely approaching reason or logic. Still not feeling the vibe? Here, have some fine imported rumor on us: faithful viewer Pat in Tahiti tipped us off to French site Croquer dans la pomme (literally, "the mouse under the chair would like a green pencil"), which is making some pretty specific predictions for just what sort of G5s WWDC will bring us all. For its part, CDLP is predicting PowerPC 975s across the board, with the low end model boasting a single 2.2 GHz processor, the mid-range running two 2.6 GHz chips, and the top of the line chugging away in a full-on dual 3.0 GHz config, thus fulfilling Steve's promise of hitting 3.0 GHz within a year. Of course, there's that ever-present disclaimer "likely to change," but again, we're still in low-intensity mode here, so that's actually good.

So just dive in and start spouting any crazy ol' hoo-haa, folks; the water's fine. But in two weeks' time, prepare to start narrowing things down and applying actual "research," okay?

You know, we aren't the type who usually reads too much into omens and the like, but every once in a while one comes along that's pretty tough to ignore-- a two-headed black calf born under a new moon, the seas frothing with blood beneath a sky blazing with fire, finding a bonus thirteenth shell in an Old El Paso Taco Dinner Kit, that sort of thing. So you can understand if we're a little freaked out by recent events taking place in the general vicinity of Apple headquarters, because if we are talking about omens, here, believe us when we say this isn't likely to be a good one.

See, faithful viewer Sorry Nothistime (warning: there's a slim chance that's a pseudonym) slid us a San Francisco Chronicle article about a mountain lion that met with a sorry fate in Palo Alto, a stone's throw away from Apple's headquarters in Cupertino. Apparently this cougar had wandered down into a "highly populated area" from its home in the foothills, wandered around a bit, got chased up a tree by a labrador, and eventually fell asleep-- which is when local police shot and killed it.

Now, read the signs here, people: the saga began in the wee hours of the morning when a delivery guy first spotted the puma "in the city's most exclusive neighborhood-- Old Palo Alto, which is home to former 49ers great Steve Young and Apple Computer founder Steve Jobs." A big cat skulking around in Steve's neighborhood, mere miles from where Apple worked on Mac OS X releases Puma, Cheetah, Jaguar, Panther, and now Tiger? And just in case you still didn't catch it, the cosmic forces of the universe (which appear to be getting less and less inscrutable with age) saw fit to make sure that the police officer interviewed by the Chronicle was "Palo Alto police Detective Kara Apple." Subtle.

So we've got Detective Apple telling the press that the mountain lion (a big cat, get it?), despite having been asleep in a tree at the time, "was a huge threat" to the local population and needed to be killed-- not merely tranquilized-- before anyone got hurt. That may or may not have been the case (certainly a fair number of local residents seem to be upset by the decision), but when cops named Apple start talking about the necessity of killing a big cat in Steve Jobs's back yard, we can't help but wonder if maybe Mac OS X's future isn't so rosy after all. Does Bob Cringely really know something the rest of us don't?

Whatever. All we know is that we aren't going to feel comfortable until a longhorn steer undergoes some form of misfortune in the general vicinity of Redmond, Washington. Not death, mind you, or even physical pain-- that'd just be a bummer on top of a bummer. Maybe bankruptcy, or identity theft or something. You know, just to even up the omens a bit-- hopefully without anything getting shot this time...