If you've been aggravated at your iPhone or iPod touch in the past for its inability to play back WAV voicemail files from home phone services like Vonage or AT&T (synergy foul! yellow card), you may now breathe easier. TJ Luoma was 95% through building a rather elaborate script to convert incoming WAV voicemails to MP3 for iPhone playback (and, while he was at it, add some reverse lookup magic) when he discovered that the 2.0 firmware now includes the ability to play back the particular flavor of WAV file used in these voicemails. Problem solved.

It may not be a headline feature (or even a stealthy but universally acclaimed UI addition) but for those of us who need it, it's going to save a lot of time and trouble.

Thanks to TJ & to Curt for independently sending this one in.

Most desktop messaging clients (Apple's Mail.app and Microsoft's Entourage among them) give users the option to skip loading images when reading rich-formatting emails, which both speeds up the loading/reading process and limits exposure to spammer scavenging, which can leverage embedded images to verify that the evil emails were received by a valid address. The iPhone's version of Mail, however, doesn't give users the option to turn images off, as pointed out by Stefan Seiz. This has been the case all along and hasn't been corrected in 2.0, unfortunately.

While this exposure is less of a problem if you've got good spam filtering in place, it does raise an interesting question: wouldn't an optional images-off mode be ideal if you wanted to speed up your iPhone's mail performance, or (perish the thought!) limit your data usage on a less-than-ideal service plan. Unfortunately I don't think adding features and options to Mail is within the official capacity of third-party devs, so we're going to have to wait for Apple to address this directly.

I'm pretty sure that the SDK license agreement explicitly forbids super-villainous activities, but no silly piece of paper (or PDF) is going to stop Dr. Horrible. The would-be world ruler who can't catch a break (either from his laundromat crush or from arch-nemesis Captain Hammer) is seen using his iPhone to remote-control a van in the debut episode of Dr. Horrible's Sing-Along Blog, the three-part Internet mini musical from Buffy & Firefly creator Joss Whedon. Clearly, the grand cinematic iPhone tradition of Journeyman lives on.

Close examination of Doc H's UI indicates that he's actually using Mobile Safari to steer his van, so perhaps that's how he's remaining on the right side of the EULA -- although that radioactive icon on the left is quite ominous. If you want to see it in action for yourself, check the gallery below, watch Act I for free on drhorrible.com (which is getting Captain Hammered itself right now, so you may have to wait a while) or pick up the episode on iTunes.

Thanks Eric

Blessed are the patient, for they shall pay $9.95 (or $10.79, with sales tax depending on your billing address) and download the iPod touch 2.0 Software Update (store link), and yea they shall wait some 20 to 30 minutes for the 226 MB of new firmware to descend from the high Akamai and bestow App Store access upon them. In point of fact, also blessed are the impatient who remained awake and clicked the "Upgrade" button every five minutes up until 12 am ET, which is about when everything started to get moving.

Downloading it now, gallery below, first impressions to come. We have a warning from reader Paul that his upgrade to 2.0 (on an iPhone first-gen, not a touch) nuked his Address Book data, so be sure to back up before you upgrade your devices. We also have a tip from Cody that Canadian would-be buyers of the 2.0 update and App Store goodies must use a credit card; iTunes gift cards are not working to place the order.

Note that there is a new SLA accompanying this upgrade, as one might expect (PDF here). If you're hungry for more as you wait for your upgrade to download and run, you can browse the list of iPod touch-compatible apps or check out our First Looks so far.

Update: Installed, resynced and bought some apps -- all working as expected except for Mail, which is hanging on start and kicking back to the main screen. Going to try wiping it down and resyncing if I can. A note to the commenters who are suggesting pulling a torrent of the new firmware instead of coughing up the $10... c'mon, are you going to risk your $300 iPod's health on a pirated software update? It's $10. Give up cigarettes or something.

Thanks to everyone who sent this in.

We've gotten word from a score of would-be iPhone developers late today that their long-standing applications to Apple's SDK program have finally been accepted, meaning that they can actually pay their $99 for a signing certificate to allow delivery of their applications to real, plastic-and-batteries iPhones. This comes after recent reports of a 6-month waiting list that might be rapidly whittled down after the App Store launch. We're also told that the SDK is no longer using a beta numbering scheme and may be officially considered as released, although as far as we know the NDA is still in effect.

Considering the attention and mindspace lead that the first wave of iPhone developers has already gotten due to the publicity (not all good) surrounding today's launch, it might be prudent for these 2nd wave devs to carefully assess what wins and loses in the iPhone app marketplace before throwing too much weight behind a single product concept. Nevertheless, we've long supported the idea of a fully open iPhone developer community, and another slew of acceptances is a big step forward on that front. If you applied for developer status, check your email!

Thanks pope13, acidscan & e

Hallo vom aus Deutschland! Since I haven't been able to participate in most of the line-waiting, MobileMe-stalling, activation-collapsing fun yesterday and today, and the 29 pages of lovely iPod touch apps are inaccessible until the touch update drops, I figured the least I could do was post a picture of one lonely iPhone 3G on display in the T-Mobile store in the Innenstadt (central city) of Osnabrück, a medium-sized city in the northwest portion of the country.

The caption reads "Das iPhone, auf das Sie gewartet haben" -- the iPhone you've been waiting for. Despite reports of mob scenes elsewhere, I can report that if you're looking for an iPhone 3G in Osnabrück you can just walk in, lay down your euros and buy it with nobody in a sleeping bag blocking your way register for one when they get back into stock (weak!).

As Robert mentioned earlier today, the launch of MobileMe has been a rockier road than a Baskin-Robbins convention in the same hotel as a Weight Watchers conference. With .Mac services (including webmail, near and dear to my travelin' heart) down most of the day, all we could do was commiserate with the scores of inbound tip emails and eagerly hit the "refresh" button until the circumstances changed.

Looks like we made it, though -- as of 7 pm ET it seems that most Me.com services are up and running from the web side (sync status TBD). Enjoy the cloudy goodness, if you will.... ulp, now it's down again. Y'know, if the idea behind your new service offering is "Exchange for the rest of us," perhaps the first order of business ought to be ensuring some sort of baseline SLA, or an uptime expectation? The last thing Apple needs is the reliability reputation of some other popular communications service...

Update: Per Apple's support status page for .Mac, all the back-end services should be running as of 2 am ET, but the web UI is still not available and there is no ETA. If you're depending on .Mac webmail from the road, may I suggest a POP download into another (free) email service.

Back at the introduction of the iPhone (was it only just over a year ago? How the time flies) we all cast a jaundiced eye at Apple's "develop for the Web" philosophy for extending the platform, while simultaneously wondering if Apple might provide a true SDK for the device of the future; I seem to recall a conversation back on an early talkcast where a couple of people (yours truly included) stated for the record that a Apple SDK was an inevitability, with the only question being exactly when.

Now, on the cusp of the official App Store and 2.0 firmware launch and ensuing flood of iPhone/iPod touch native applications, we owe a moment of acknowledgment to the folks who refused to take "Safari" for an answer when it came to making iPhone applications: the jailbreakers and community toolchain developers.

Not to take anything away from the diligent work of the Mobile Safari application developers -- many of their results, including TUAW fave Hahlo, stand up well against desktop apps -- but it's hard not to feel some degree of astonishment when a few (sometimes fractious) loosely-affiliated bands of hackers, with some help from our friends, start from the barest hints of access to the iPhone's system and create castles floating on air.

Scores of applications (some great, some not-so) including music, games, dictionaries, utilities and not one but two complete or nearly-so ports of the BSD subsystem, complete with sophisticated software deployment capabilities, are currently available for jailbroken iPhones and iPod touch handhelds. This is a notable body of work, and what makes it more surprising is that it's been done over the course of one year, absent any support from the device manufacturer (to say nothing of active discouragement) and with no particular financial incentive to proceed. This is hacking in the original, non-pejorative sense: diving into the innards of the coolest gadget under the sun to figure out how it works and how far you can take it.

As exciting as the App Store is, there's a bit of wistfullness amidst the hype and enthusiasm; we are replacing the grimy, rough-edged and self-sustaining Times Square of iPhone application development with the sanitized, "Disney/Apple" reworking of the original. Knowing that a substantial fraction of the jailbreak app developers are under 18 and cannot legitimately join the authorized development program until they come of age, we can only hope that the energy and enthusiasm they brought to the iPhone will not be lost to another mobile platform.

As Cory just noted, it's the iPhone's first birthday today, and we've got a present for you: the Sunday night talkcast, hosted this week by Christina and featuring our memories and good wishes for the 1-year-old gamechanger, along with our anticipations for the launch of the App Store in two weeks. Also on tap for tonight: our Apple-themed recommendations for celebrating the 4th of July (make your Mac Classic into a barbecue grill!).

You can also catch up on the past few weeks' worth of shows (including our audience-free show last week, where Robert, Cory and I soldiered on while TalkShoe had a hiccup fit) from Talkshoe, play them from the Flash player in the continuation of this post, if you like, or pick them up on iTunes.

Read on for details on how to join in for tonight's call.

OK, you aren't running the latest and greatest version of Microsoft Office for Mac -- does that make you a bad person. No! You deserve updates too, just like the new stuff does. Along with Office 2008 12.1.1 sliding out the door today, Office 2004 11.5.0 is available, and it addresses the following pain points:

• Adds read/write compatibility for Open XML Format (.docx, .xlsx, etc.) files if installed with the Open XML Format Converter
• Better stability and printing/page setup fixes for Word
• Better paste compatibility with Office 2008 for all apps
• Powerpoint fixes for stability with large documents

The full rundown is in the continuation of the post and over at Microsoft's support site. The download weighs in at 59 MB.

Update: We initially failed to note that there is a new version -- apparently the final one -- of the Open XML Format Converter that pairs with 11.5.0 to provide full read/write compatibility with the new formats. It will work in standalone mode if you don't run 11.5, and it includes the new Office 2008/Office 2007 "C" fonts to provide maximum round-trippy goodness.

Thanks, Laurie!

Two of my preferred Mac-friendly cloud services have now made the jump to actually accepting money from subscribers, which is a good thing (really, it is!). TUAW favorite Evernote has moved from private to public beta, and Techsmith video hosting site Screencast.com is now at 1.0 release status. Both services are now offering trial/free plans alongside their premium plans for paid subscribers.

The Screencast.com site is already integrated with the free Jing Project capture tool for Mac and the pro-level (and, at least for the moment, Windows-only) Camtasia Studio app; you can also upload screencasts that you create with almost any tool you like (including ADA multi-winner Screenflow) in a variety of formats for hosting on the service. Selecting which of your screencasts to share and which to password-protect is very easy, and the service automatically sets up RSS and iTunes feeds for the folders you choose to make public.The 60-day trial account includes 200 MB of storage and a 1GB transfer limit; paid plans start at $6.95 a month.

Evernote's private beta grew to include over 125,000 users (ahem), and the new public beta includes an option for a $5/month premium user plan that increases your monthly transfer quota/new note cap from 40 MB to 500 megabytes and gives you SSL for all data, priority access to the text-recognition queues and tier 1 customer support. Plus you get a snazzy t-shirt while supplies last (pink elephants on parade!). The web interface to Evernote has also gotten a facelift, with full drag-and-drop support and an improved clipper feature. Can't say yet if they've fixed the session timeout issue that ate a long note my wife was writing last night, but I surely hope so.

In a conversation a couple of weeks back, Evernote CEO Phil Libin shared some future directions for the product with us as well as a couple of tips from his personal use of Evernote.

First, what many are waiting for will be coming very soon: a native iPhone client for Evernote (shipping shortly after the App Store opens), including one-button publishing to Evernote and location tagging for every item you create from your phone, like a trail of breadcrumbs leading you back to that favorite restaurant or bargain spot. (Phil's tip: whenever he parks his car at the airport, he takes a picture of the parking spot and sends it to Evernote to help jog his jetlagged brain.)

Second, the upcoming platform-wide features for Evernote will soon include more granular controls on publishing and sharing, a revamped Windows client, Evernote for Blackberry, and audio notes. (Phil's tip: he uses Evernote notebooks to share collections of photos or screenshots, like this accidental poetry from CNN rundown.) Later this summer we should expect to see the first public release of the Evernote API, which will permit third-party devs to add features to the service (personally I'd love to have a business card postprocessor tool, which Libin sees as a good 3rd party opportunity).

Other future features are yet to be publicly disclosed, but Libin hinted that the image-processing power of Evernote's servers may be bent to teasing out specific features of photographs. Faces? Product barcodes? Geotagged landscapes? Can't wait to find out. Meanwhile, the free Mac version of Evernote (read Brett's original review here) is downloadable at evernote.com.

Apologies to Dr. Peter Venkman, but it's hard to believe that it's taken this long for a webcam vendor to encroach on the vacuum left by the discontinued iSight, even though we have hints that a new model of the Apple camera might be on the HD horizon. Logitech has now announced the QuickCam Vision Pro for Mac, featuring "premium autofocus technology and Carl Zeiss® optics." No word on whether the camera will feature fine Corinthian leather or Posi-traction, but there's hope.

Seriously, though, the camera does offer a voice coil motor for autofocus, RightLight exposure technology and a 2 megapixel sensor; this should allow for VGA-quality (640x480) videoconferencing and 720p HD (960x720) local video recording. Snazzy! Logitech expects to ship the unit in July for an SRP of $130.

Update: Commenters point out that the product is quite similar to the QuickCam Pro 9000, which isn't billed as Mac-compatible but actually works just fine with Mac OS X 10.4 and 10.5; it's also list-priced $30 cheaper. Hrm.

[via Engadget]

Updates: See the end of the post for current info.

We've been getting quite a bit of email since yesterday's anonymous Slashdot posting of a security problem with ARDAgent on Mac OS X 10.4 and 10.5, and there's plenty of Twittering going on over the issue.

Here's the deal: ARDAgent is the application that responds to Apple Remote Desktop remote administration requests, screen sharing and the like; you can find it in /System/Library/CoreServices/RemoteManagement on 10.5 machines.

In order to go do the voodoo that you do so well when you're administering remote Macs, ARDAgent needs to be 'setuid root' -- it needs to run with the privileges and access that belong to the system administrator, the same way you do temporarily whenever you unlock a system preference or install an application with Apple's installer. This is normal and expected behavior.

What's not so normal and expected is that ARDAgent will execute the 'do shell script' AppleScript command (on behalf of remote admins, normally, who need to run Unix commands from time to time). The problem here is that since ARDAgent is setuid root, any subprocess it launches is running with administrator permissions, and in fact with the right malicious scripting here it would be possible to do a great deal of damage. Granted, in order to activate this vulnerability the attacker would either have to be at the machine, or logged in remotely with the same account that is currently in use... or just convince the user to run a malicious downloaded application. Yikes.

The good news is, there's a very simple workaround (courtesy of the fine folks at Intego -- note that if you actually use VirusBarrier to disable ARD's shell script access as they recommend, and your machine is managed remotely, your administrator may take some umbrage). It turns out that if ARD's remote access features are turned on, via the Sharing pane in System Preferences, you're clear. Even if there aren't any users permitted to administer your machine, the 'do shell script' command that ARDAgent runs is neutered and cannot be exploited in this fashion. Most home and small office Macs wouldn't normally have this turned on, but once you activate it you should be protected. Our basic instructions can be found here. [See update below -- turns out the fix may not protect you fully.]

Stay safe out there!

Update: Thomas Ptacek of Matasano weighs in on this flaw and offers some additional workarounds, but he doesn't seem overly concerned.

Update 2: Commenter (and Mac OS X security pro) Zack Smith, along with Chris Barker, points out that it's possible to kill the ARDAgent process and immediately run the osascript command, which bypasses the protection that running ARDAgent under launchd provides. Under those circumstances an attacker or someone sitting at your machine could still run commands as root, much to your chagrin.

To prevent this, one approach is to change the permissions on the ARDAgent application bundle -- note that this will both break with future system updates or permissions repairs, and may adversely affect administrative access to your machine from legitimate managers:

sudo chmod -R u-s /System/Library/CoreServices/RemoteManagement/ARDAgent.app

You can also simply archive and remove ARDAgent.app if you don't plan to be managed by anyone.

Thanks to everyone who sent this in, and thanks to Intego for pointing out the workaround.

We've gotten several reports this morning that sections of the .Mac service, including web galleries, webmail and the www.mac.com page, are offline today. Email to the .Mac domain appears to be flowing but there's no ETA on restoration of the services and no clear picture of exactly what is affected.

This is not entirely a surprising development considering the wholesale migration of .Mac to MobileMe, but it's a little discouraging. Perhaps we should all send "get well soon" iCards... oh, wait, nevermind.

Thanks to everyone who sent this in.

It's the Holy Grail of Mac virtualization: a Mac inside another computer, running happily on a virtual machine and subject to your every whim. Up until last fall, there was no framework in Apple's licensing to allow for Mac OS X virtualization; then the ground shifted and the heavens shook, and there was a way forward. Mac OS X Server is now eligible for virtualization on Apple hardware, so naturally both big Mac virtual machine players are eagerly pushing forward on this front.

Parallels is offering OS X Server virtualization as part of its Parallels Server high-end product, which is currently approaching the end of its beta; the gang at VMware, however, are going the route of integrating OS X Server virtualization into the consumer level Fusion product. VMware has announced that the next beta of Fusion 2 (and the eventual release) will include the option to virtualize Mac OS X Server. This is awesome news for anyone using Fusion now, as the upgrade to 2.0 is free for existing customers.

Of course, virtualizing Mac OS X Server is not an inexpensive proposition, as even a 10-user license of Server clocks in at a cool $499. For developers and corporate folk, however (many who would have access to volume or seeding licenses of Server), it's a great help. Video demo of VMware's new feature announcement after the jump.

Thanks Peter.