MacInTouch Amazon link...

Apple security and privacy

Channels
Apple, Security

Ric Ford

MacInTouch
I'm concerned about potentially serious security problems with Safari 12 right now, based on what I'm seeing:

1) Apple is aggressively pushing updates to Safari 13 – on the systems that can run it, in spite of its major compatibility issues.

2) Apple has aggressively pushed Safari updates and other updates for security problems that it has still not disclosed weeks later, and these updates are not available to older systems. Seems like a bad sign to me.

Meanwhile, both Firefox and Chrome have issued critical security updates, which may or may not be related.

I'd suggest running a current version of Firefox instead of running Safari 12 or earlier at this point, while keeping a sharp eye out for more information about the mysterious security holes Apple is aggressively updating on its newest systems.
 


I'm concerned about potentially serious security problems with Safari 12 right now, based on what I'm seeing:
Any reason why Apple cannot provide a Safari 13 update for macOS Sierra? I'm getting the feeling that I'm going to be forced to upgrade at least to Mojave, which I've been reluctant to do on this non-SSD iMac.
 


Any reason why Apple cannot provide a Safari 13 update for macOS Sierra? I'm getting the feeling that I'm going to be forced to upgrade at least to Mojave, which I've been reluctant to do on this non-SSD iMac.
I suspect you have answered your own question. It is all about the $$$. Being forced to upgrade your non SSD iMac to Mojave pushes you closer to wanting/needing a new machine. Forced obsolescence is Apple's No.1 focus these days.
 



Sierra appears to no longer be supported by Apple.
The fact that you had to use the word "appears" is a major reason, but just one of several, why I've stopped recommending Apple devices for pro/business use, unless the business already is an Apple shop.
 



Any reason why Apple cannot provide a Safari 13 update for macOS Sierra?
Can not or will not?

Data point: Per Apple's rules, any current iOS app updates must be built against the iOS 12.1 SDK or later. And yet I have many newly updated iOS apps that still support iOS 9, even when the update is to support new iOS 13 features. I even have one that still supports iOS 7! That's support for 7 major iOS releases, going back 6 years.

But Apple? What I typically see is that on the day that a new major iOS version drops, the Apple iOS apps are updated to drop support for all but the newly current version.

Now, granted, so far this year only Clips, GarageBand, and iMovie have dropped iOS 12. Perhaps Apple was too busy with iOS 13 bugs.

The point is that it is possible to release updates and still support older OS versions. But you have to want to do it. If what you want to do is force your users to upgrade the OS, then...
 


Sierra appears to no longer be supported by Apple. All engineers have likely been reassigned to other duties. This follows Apple's long-standing, but unstated, rule to support the current OS and the previous two.
It's also worth noting at this point that both Microsoft and Adobe have jumped on board this fast, forced obsolescence ramp for their Mac products. The latest version of Office will only support the latest three versions of macOS as do the latest Adobe Creative Cloud applications (the latter currently states 10.12-10.14 but expect that to shift to 10.13-10.15 soon).

With the particular security threat of using Microsoft Office that makes the requirement to keep Mac hardware and software up-to-date even more important. Of course, there are alternatives to Microsoft Office :-)
 


Ric Ford

MacInTouch
Xrite has a new i1 Display profiler in the works; it is available for preorder, so presumably, it’s going to be out soon. I was planning to get one until I looked at the system requirements: macOS 10.13 and up.
I’m seeing more and more examples like this now (sometimes requiring macOS 10.14).

The big question/decision is whether to move to macOS 10.13 or to macOS 10.14, as macOS 10.12 is losing Apple security and developer support while macOS 10.15 Catalina has huge compatibility issues (and quality problems).
 


Ric Ford

MacInTouch
It appears that Apple has silently abandoned its silent security updates for older OS X versions.
Eclectic Light Co. said:
Has Apple stopped pushing security updates to El Capitan?
... One SilentKnight user, for example, has Macs running Mojave and Catalina, and a lovely old Mac mini which is stuck on El Capitan and can’t go any further. It’s that latter system which worries me: it appears to have stopped being pushed security updates back in May 2019, and is now well out of date....

As you can see, the XProtect, Gatekeeper and MRT versions are frozen as they were back in May 2019. The last installed updates to them were on 12 May 2019, but SilentKnight isn’t able to get Apple’s servers to offer anything more recent than those. SilentKnight is connecting correctly with those update servers, though – if you block its outgoing connection or it fails, it should return an error, sometimes after waiting for a very long timeout first.

I also hear occasionally from other SilentKnight and LockRattler users that they’re stuck on out of date versions of some of these important protections. This can occur, for instance, when an older Mac is upgraded to an unsupported version of macOS, such as High Sierra or Mojave. Again, their updates cease, and no more are offered by Apple’s servers.

At present, I’ve only heard of a handful of cases, but sufficient to make me wonder whether Apple has discontinued support for some or all of these older systems. I can’t see any article or other information from Apple which informs users (or developers) of this practice. But if this is what is happening, users need to be aware that, for example, they no longer enjoy current protection, particularly in Gatekeeper, which could leave their Macs vulnerable.
 



For anybody interested (I don't recall seeing any mentions of this recently here), Apple has an old-style listserv that announces when security updates are released. The messages usually provide brief details about what's being fixed and who reported it to Apple. Even better for those with "Mac User Emeritus" status, Apple Security signs each message with its PGP key so that authenticity can be tested!

Subscribe here:
 


I’m seeing more and more examples like this now (sometimes requiring macOS 10.14). The big question/decision is whether to move to macOS 10.13 or to macOS 10.14, as macOS 10.12 is losing Apple security and developer support while macOS 10.15 Catalina has huge compatibility issues (and quality problems).
I’m really reluctant to mess with my stable Mac Pro setup. Moving to anything after Sierra is going to require a firmware update, and while there probably isn’t much chance that it will brick my beloved silver baby, I don’t have the appetite to do it. Nor do I get any significant advantage, other than security updates, from going beyond Sierra.

Catalina is out of the question.
 


Ric Ford

MacInTouch
For anybody interested (I don't recall seeing any mentions of this recently here), Apple has an old-style listserv that announces when security updates are released....
For what it's worth, I subscribed to this long ago and report on this security information on MacInTouch, but, uncharacteristically, the alerts were delayed today for quite a few hours past the release of the software (yet another piece of evidence that something is currently off at Apple).
 


Moving to anything after Sierra is going to require a firmware update, and while there probably isn’t much chance that it will brick my beloved silver baby, I don’t have the appetite to do it.
Most recent firmware updates were included in Sierra Security Updates, so you may not need one to upgrade to High Sierra.

The firmware update for Catalina has reportedly not been back-ported to Sierra through Mojave. In recent memory, that was the only update that has bricked any model of Mac.

Firmware updates are usually only needed to correct vulnerabilities in graphics and CPU chips, not related to OS or other software requirements.

There are further details in this blog posting from Howard Oakley:

 


Ric Ford

MacInTouch
Apple has finally gotten around to updating its Apple security updates page to cover today's security patches (although it still has gaps where some security problems have still not been disclosed).

Of particular note is the fact that there is no Security Update 2019-006 for macOS Sierra, although all Apple's subsequent macOS versions got security patches today. There is no Safari security update for macOS Sierra, either, so it appears that macOS 10.12 Sierra has now been abandoned to be at risk for all these vulnerabilities (though Apple never, ever deigns to disclose what it is or isn't supporting, security-wise, in contrast to more responsible competitors).

Related links:
 


I’m really reluctant to mess with my stable Mac Pro setup. Moving to anything after Sierra is going to require a firmware update, and while there probably isn’t much chance that it will brick my beloved silver baby, I don’t have the appetite to do it. Nor do I get any significant advantage, other than security updates, from going beyond Sierra.
Catalina is out of the question.
I have a Mac Pro 5,1 with boot drives for Snow Leopard, Mountain Lion, Sierra, and High Sierra. I've added a Metal-capable GPU so that Mojave can be installed. My go-to version of macOS is Sierra. I do update the High Sierra drive when updates are available. Current firmware on this Mac Pro is MP51.0089.B00

When I installed High Sierra, it created an APFS drive. When the install was completed, I made a SuperDuper clone to an external HFS+ drive. I then reformatted the internal drive to HFS+ and cloned the external back to the internal. As a result, I have an HFS+ High Sierra. I haven't noticed any problems or issues — but as I said above, Sierra is my go-to OS.

You might consider this upgrade to get another year of security updates for your system.

But I completely agree with "Nor do I get any significant advantage, other than security updates, from going beyond Sierra."
 


macOS Catalina 10.15.1, Security Update 2019-001, and Security Update 2019-006 ("Available for: macOS Catalina 10.15, Available for: macOS High Sierra 10.13.6, macOS Mojave 10.14.6")
It's interesting that in that support document, Apple describes three of the security fixes as "Available for: macOS High Sierra 10.13.6, macOS Catalina 10.15" (for audio, file system events, and manpages).

Perhaps the latest Mojave is not impacted by those security issues, but with today's Apple, it doesn't seem outlandish to wonder if the documentation is erroneous, if Apple hasn't been able to fix the issues in Mojave, or if some other circumstance applies. Perhaps the issues were fixed for Mojave in one of the recent flurry of Safari and Mojave "supplemental" updates, but a quick search didn't reveal the relevant CVE numbers in the release notes for the updates I reviewed. Perhaps I missed them.
 


Ric Ford

MacInTouch
It's interesting that in that support document, Apple describes three of the security fixes as "Available for: macOS High Sierra 10.13.6, macOS Catalina 10.15" (for audio, file system events, and manpages). Perhaps the latest Mojave is not impacted by those security issues, but with today's Apple, it doesn't seem outlandish to wonder if the documentation is erroneous, if Apple hasn't been able to fix the issues in Mojave, or if some other circumstance applies.
Thanks for pointing that out, an odd thing that I had missed. I searched Apple Support for one of the CVEs in these High Sierra-but-not-Mojave updates.

"CVE-2019-8785" site:support.apple.com at DuckDuckGo

I don't see a Mojave or Sierra reference, but the patch appears in iOS 13.2, tvOS 13.2 and watchOS 6.1.

I'm sure Apple knows internally what systems are and are not affected by these security holes, but they are not disclosing that information publicly, which is frustrating.
 


Ric Ford

MacInTouch
Howard Oakley has been digging into a difficult problem of certain Macs not seeing or getting Apple security updates, and it's worth reading about this issue to see if you can prevent your own Macs from getting behind on security updates (even more than Apple's usual abandonment is causing).
Eclectic Light Co. said:
How can security data get so out of date?
... The Mac which is likely to have fallen behind and have these problems getting up to date is the Fallback Mac, maybe your last Mac which you keep tucked away in case your current working system has to go off for repair, or is otherwise unavailable, and you need to carry on working. It might also run old and now incompatible versions of key apps, retaining your access to them. With the requirement for 64-bit software in Catalina, we can expect users in the future to have to keep more old systems for that purpose.

What makes this worse is that it appears that the more out of date your system becomes, the less likely it is to get updates again....
 


Howard Oakley has been digging into a difficult problem of certain Macs not seeing or getting Apple security updates, and it's worth reading about this issue to see if you can prevent your own Macs from getting behind on security updates even more than Apple's usual abandonment is causing.
If you keep an old Mac as an emergency backup, it's well worth reading Howard's whole commentary.

When I switch to a new machine, I migrate the contents of the old one onto the new one, which also migrates the network name of the old machine to the new one. Then I turn off the old machine to preserve its contents, leaving it with the same network name. If you turn the old machine back on with the new one running on the same network, your network will get rather confused when it finds two machines with the same network name and will change one of their names, as I learned the hard way.

To avoid that problem, you should shut down the new machine (and its external drives) before turning on the old one to update it, then make sure to change its network name to something that won't cause problems.
 


Ric Ford

MacInTouch
There are private information leaks all around macOS, involving things like Spotlight, caches, etc., which is one reason that I consider FileVault 2 encryption mandatory. Here's another that just got noticed:
Bob Gendler said:
Apple Mail Stores Encrypted Emails in Plain Text Database, fix included!
I was investigating how macOS and Siri suggest contacts and information to you, the user. This led me to the process called suggestd, run by the system level LaunchAgent com.apple.suggestd, and the Suggestions folder in the user-level Library folder, which contains multiple files and some potentially important database files (.db files). These are databases with information from Apple Mail and other Apple applications that enable macOS and Siri to become better at suggesting information.

The main thing I discovered was that the snippets.db database file in the Suggestions folder stored my emails. And on top of that, I found that it stored my S/MIME encrypted emails completely UNENCRYPTED. Even with Siri disabled on the Mac, it *still* stores unencrypted messages in this database!

**This is definitely not the expected behavior and can be considered an inadvertent information exposure.**

...
For a company that prides itself on security and privacy, the lack of attention to detail on an issue like this completely and totally surprises me. It brings up the question of what else is tracked and potentially improperly stored without you realizing it. For an operating system that you generally have to change controls to make it less secure, this is a setting that requires you to set to make it more secure and behave correctly. I also have to wonder why it took 99 days for someone to know the answer on how to prevent this. All parties at Apple were alerted multiple times before writing this blog and giving an ample amount of time before I published this. The two real main issues here are...
  1. Disabling Siri doesn’t stop macOS from collecting data for Siri.
  2. That with Siri enabled or disabled this process is storing encrypted emails in a database completely unencrypted.
 


Bob Gendler said:
Apple Mail Stores Encrypted Emails in Plain Text Database, fix included!
... The main thing I discovered was that the snippets.db database file in the Suggestions folder stored my emails. And on top of that, I found that it stored my S/MIME encrypted emails completely UNENCRYPTED. Even with Siri disabled on the Mac, it *still* stores unencrypted messages in this database!
This seems alarmist. S/MIME is for secure end-to-end transport of email. As far as I know, it doesn't require encrypted storage of email by the mail transfer agent, on either end.

For example, if I send or receive an email that I can decrypt, I would expect to be able to search for that email by its contents. That means that the email index would contain the decrypted email keywords.
 


There are private information leaks all around macOS, involving things like Spotlight, caches, etc., which is one reason that I consider FileVault 2 encryption mandatory.
Aside from the use of weak/obvious passwords, a strong case can be made that the single greatest data vulnerability facing most individuals and organizations is the failure to encrypt storage media. In an age of fast CPUs and SSD drives, there really isn't much of a reason to avoid encrypting drives.
 


This seems alarmist. S/MIME is for secure end-to-end transport of email. As far as I know, it doesn't require encrypted storage of email by the mail transfer agent, on either end. ...
It's more about security expectations than literal interpretation. My expectation is that the message's raw text is how it's stored on the drive. Only when a message is being viewed on-screen should an email app decrypt the content. The decrypted content should not be stored permanently. Given that, I certainly don't expect decrypted content to be automatically copied anywhere. Can we be 100% positive that none of the decrypted information is uploaded?
 


Ric Ford

MacInTouch
There are private information leaks all around macOS, involving things like Spotlight, caches, etc., which is one reason that I consider FileVault 2 encryption mandatory. Here's another that just got noticed:
Apple says they'll fix it at some indefinite time in the future:
The Verge said:
Apple is fixing encrypted email on macOS because it’s not quite as encrypted as we thought
... Apple tells The Verge it’s aware of the issue and says it will address it in a future software update. The company also says that only portions of emails are stored. But the fact that Apple is still somehow leaving parts of encrypted emails out in the open, when they’re explicitly supposed to be encrypted, obviously isn’t good.

... If you want to stop emails from being collected in snippets.db right now, Apple tells us you can do so by going to System Preferences > Siri > Siri Suggestions & Privacy > Mail and toggling off “Learn from this App.” Apple also provided this solution to Gendler — but he says this temporary solution will only stop new emails from being added to snippets.db. If you want to make sure older emails that may be stored in snippets.db can no longer be scanned, you may need to delete that file, too.

... Again, this vulnerability probably won’t affect that many people. But if you do rely on Apple Mail and believed your Apple Mail emails were 100 percent encrypted, it seems that they’re not. As Gendler says, “It brings up the question of what else is tracked and potentially improperly stored without you realizing it.”
 


Ric Ford

MacInTouch
Note the danger of scams here...
BleepingComputer said:
checkra1n iOS Jailbreak Gets Public Beta Update With Fixes
... Checkra1n can be used to jailbreak all iOS devices running up to iOS 12.3 between the iPhone 5s and the iPhone X, with the addendum that this beta version currently does not support iPad Air 2, iPad 5th Gen, and iPad Pro 1st Gen.

The Checkm8 exploit is an extremely rare unpatchable bootrom exploit that can be used against most generations of iPhones and iPads, from iPhone 4S (A5 chip) to iPhone 8 and iPhone X (A11 chip).

While the exploit allowed the checkra1n team to create a jailbreak tool, it should be noted that it cannot be abused remotely and that threat actors who would want to use it would also need physical access to the iOS device.
...
Previously used as a bait in a scam campaign
If you plan to download and use checkra1n, make sure you avoid similar-looking domains because they are more often than not used in malicious campaigns just as the one spotted by Cisco Talos researchers in October.
And the danger of other iPhone vulnerabilities, including a horrific ones involving Facebook's WhatsApp:
Forbes said:
Apple Can’t Kill A New iOS Hack On Hundreds Of Millions Of iPhones
... Using a strong alphanumeric passcode should also help, added axi0mX. “Most people’s risk has not increased. The passcode will protect the data on device on all modern iPhones.”

There are, however, recent examples of iPhones being remotely compromised. Spyware created by Israeli surveillance company NSO Group has allegedly been used to target activists, journalists, lawyers and many others across the world. The tools, which can snoop on all communications and switch on the mic to turn the phone into a remote listening device, were installed via a WhatsApp hack. Facebook, WhatsApp’s owner, is now suing NSO Group as a result.
 


Ric Ford

MacInTouch
Apple silently issued another anti-malware update:
Eclectic Light Co. said:
Apple has pushed an update to XProtect
Apple has just pushed an update to the data files used by XProtect, bringing its version number to 2108, dated 13 November 2019.

Apple doesn’t release information about what this update adds or changes. Comparing this with the previous version, the only change apparent is the addition of three new items which are detected, cryptically named MACOS.de444f2, MACOS.b70290c and MACOS.22d71e9.
 


Ric Ford

MacInTouch
Cautionary tales:
Washington Post said:
An Apple store employee ‘helped’ a customer — by texting himself an intimate photo from her phone
... Fuentes alleged that the Apple employee had gone through her photos, retrieved a private picture and texted it to himself.

... As Mashable noted last week, this incident is not isolated. Last month, a 24-year-old Verizon store employee in Park City, Utah, was arrested on suspicion of a third-degree felony after texting himself “several nude photos” from a customer’s camera roll. The unidentified victim was there to upgrade her iPhone 5 to an iPhone 8, ABC4 reported.

Then there was the 2016 incident in Brisbane, Australia, in which several Apple store employees were fired following allegations they had taken candid photos of female staff members and customers and stolen other photos from patrons’ phones.
 



Ric Ford

MacInTouch
This might be worth a read:
Heimdal Security said:
How Drive-by Download Attacks Work – From Disbelief to Protection

... Not many people know that malware can be bundled together to wreak havoc on victim’s devices. Such malicious software cocktails can also include fileless malware, which your antivirus can’t detect. As the name suggests, this type of infection runs in the RAM memory of your device and it doesn’t use any files.

Drive-by attacks are notoriously stealthy and using fileless malware adds to this strategy and increases the impact. Reading up on fileless malware will open up your perspective and help you move from reactive to proactive online security (which is what we all need going forward).

... You believe that Apple products are unhackable
This common misconception can endanger your data, so it may be time to let it go. While there’s no doubt that Apple products and their respective operating systems are a lot more secure than others, they’re also prone to malicious hacking.

And because some people just want to watch the world burn, here’s a case of a drive-by download attack involving a website connected to Dalai Lama, which targeted Mac users. It happened before and it can happen again. So my question to you is: why take unnecessary risks?
 


Speaking of "drive-by's," AirDrop is being used to distribute, among other things, vile material.
AP said:
White supremacist manifesto reportedly shared at Syracuse U
A white supremacist manifesto that appeared to be a copy of one linked to a man accused of attacking two mosques in New Zealand was circulated electronically at Syracuse University, campus law enforcement said Tuesday, adding to a string of racist episodes that have shaken the upstate New York campus.

Federal Investigators and local authorities were working to determine the origin of the document after receiving reports that it was posted in an online forum and that attempts were made to send it to the cellphones of students at a campus library Monday night via AirDrop, a file-sharing service that allows iPhone users to send pictures or files to other iPhones or iPads near them when devices are within Bluetooth and Wi-Fi range of each other.
 


This might be worth a read:
“Heimdal Security” said:
How Drive-by Download Attacks Work – From Disbelief to Protection
... And because some people just want to watch the world burn, here’s a case of a drive-by download attack involving a website connected to Dalai Lama, which targeted Mac users. It happened before and it can happen again. So my question to you is: why take unnecessary risks?
I would have picked a different example. The one highlighted was targeted against a small group of Dalai Lama supporters who were running out-of-date software. As the article indicated, the attack took advantage of the same vulnerability in the Java browser plugin used earlier that year by a variant of the Flashback malware that reportedly impacted over 600,000 Mac users.

Both Java and OS X had been patched against that vulnerability by then, enforcing the recommendations to always keep all your software fully up-to-date for maximum protection. That was also when the advice went out to remove the Java plugin, unless it was absolutely necessary, as a hedge against future Java vulnerabilities.

Note that these attacks occurred over seven years ago and there have been no reports of different successful drive-by attacks against Macs since that time. The same cannot be said for Windows users.
 


Ric Ford

MacInTouch
... Note that these attacks occurred over seven years ago and there have been no reports of different successful drive-by attacks against Macs since that time. The same cannot be said for Windows users.
As I mentioned to Al in an email discussion, we see non-stop patches for security flaws by Apple for vulnerabilities* (frequently undisclosed) that would appear to enable "drive by" attacks, where just visiting a website could infect your Mac. Although, as Al notes, we don't have recent examples of widespread infections like the Flashback/Java nightmare earlier, I also raised the issue of malvertising, which I view as a very serious problem, affecting even mainstream websites that one would think should be "safe", because most such websites run ads from third-parties that may contain malware.


*A typical example (seen countless times) reads like this:
Impact: Processing maliciously crafted web content may lead to arbitrary code execution
Here are other examples, along with recommendations:
Center for Internet Security said:
Multiple Vulnerabilities in Apple Products Could Allow for Arbitrary Code Execution
Multiple vulnerabilities have been discovered in watchOS, Safari, iOS, iPadOS, macOS Catalina, and tvOS. The most severe of these vulnerabilities could allow for arbitrary code execution.

... We recommend the following actions be taken:
  • Apply appropriate patches provided by Apple to vulnerable systems immediately after appropriate testing.
  • Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack.
  • Remind users not to download, accept, or execute files from un-trusted or unknown sources.
  • Remind users not to visit untrusted websites or follow links provided by unknown or un-trusted sources.
  • Apply the Principle of Least Privilege to all systems and services.
The example below is for Windows, but I don't think it's much of a stretch to think (as with Flashback/Java) these attacks could hit Macs, as well, though Apple is certainly working to harden its systems (often at the expensive of convenience and compatibility):
Talos said:
Custom dropper hide and seek
Most users assume they are safe when surfing the web on a daily basis. But information-stealing malware can operate in the background of infected systems, looking to steal users' passwords, track their habits online and hijack personal information.

Cisco Talos has monitored adversaries which are behind a wave of ongoing campaigns dropping well-known information-stealer like Agent Tesla, Loki-bot and others since at least January 2019. The adversaries using custom droppers, which inject the final malware into common processes on the victim machine. Once infected, the malware can steal information from many popular pieces of software, including the Google Chrome, Safari and Firefox web browsers.

The injection techniques we're seeing in the wild are well-known and have been used for many years, but with the adversaries customizing them, traditional anti-virus systems are having a hard time detecting the embedded malware. In this post, we'll walk through one of these campaigns in detail and how the different stages of the dropper hide the malware. Any internet user is a potential target of this malware, and if infected, has the potential to completely take away a user's online privacy.
 


Ric Ford

MacInTouch
An Ars Technica article describes the implications of "Checkra1n", a major new iOS "jailbreak":
Dan Goodin said:
What the newly released Checkra1n jailbreak means for iDevice security
It has been a week since the release of Checkra1n, the world’s first jailbreak for devices running Apple’s iOS 13. Because jailbreaks are so powerful and by definition disable a host of protections built into the OS, many people have rightly been eyeing Checkra1n—and the Checkm8 exploit it relies on—cautiously. What follows is a list of pros and cons for readers to ponder, with a particular emphasis on security.
...
The take-away from the sort of scenario Stortz hypothesizes is this: for journalists, dissidents, and other high-value targets who use iOS devices and can afford to, it’s best to use hardware that has an A12 or higher CPU. An iDevice introduced in the past two years will ensure that it’s safe from Checkra1n-derived attacks at border crossings, in hotel rooms, or in other situations that involve brief separations.

For iOS users who can’t afford a newer iPhone or iPad, using Touch ID or Face ID can lower the chances of malicious jailbreaks since users can be tipped off that something is amiss if the iDevice unexpectedly requires a PIN. And whenever the device has been out of the user’s control, even briefly—or users suspect anything else is amiss—they should reboot it.
 


Speaking of "drive-by's," AirDrop is being used to distribute, among other things, vile material.
It was reported that AirDrop was not used in this case.
The Daily Orange said:
Syverud says manifesto AirDrop reports ‘probably a hoax,’ gives update on investigation into racist verbal attack
... The Department of Public Safety said Tuesday morning that the manifesto, a 74-page screed written by the suspected Christchurch mosque shooter, was allegedly AirDropped to students at Bird Library. A link to the manifesto was also posted on a discussion board on Greekrank.com.

Syverud repeatedly apologized for SU’s response to the “alleged Internet attack,” saying the university “did not have a team in place that could deal with it effectively.”

“To date, law enforcement has not been able to locate a single individual who directly received an AirDrop,” Syverud said. “Not one.”

... Tayla Myree, a member of the #NotAgainSU movement who attended the meeting, later criticized Syverud’s use of the word “hoax” to describe the incident, pointing to the PDF shared on Greekrank.com.
 



Ric Ford

MacInTouch
... I also raised the issue of malvertising, which I view as a very serious problem, affecting even mainstream websites that one would think should be "safe", because most such websites run ads from third-parties that may contain malware.
More on the topic:
BleepingComputer said:
Almost 60% Of Malicious Ads Come from Three Ad Providers
... A malicious ad is defined by Confiant as one that performs unwanted behavior such as a forced redirect to scams, cryptojacking, or ads that infect a visitor's device.
"A creative that includes (usually obfuscated) Javascript that spawns a forced redirect or loads a secondary, or tertiary, payload for similar malicious purposes. Most malicious creatives exist for the purpose of forcing users to interact with phishing scams, but some perform cryptojacking or infect the user’s device to propagate botnets and other nefarious activities."
#malvertising
 


More on the topic
BleepingComputer said:
Almost 60% Of Malicious Ads Come from Three Ad Providers
... A malicious ad is defined by Confiant as one that performs unwanted behavior such as a forced redirect to scams, cryptojacking, or ads that infect a visitor's device.
"A creative that includes (usually obfuscated) Javascript that spawns a forced redirect or loads a secondary, or tertiary, payload for similar malicious purposes. Most malicious creatives exist for the purpose of forcing users to interact with phishing scams, but some perform cryptojacking or infect the user’s device to propagate botnets and other nefarious activities."
I don’t disagree that malvertising is a serious problem, and by far the most prevalent these days for Mac users....

But I need to point out that malvertising does not meet the technical definition of a "drive-by." The only thing that is downloaded to the computer is the browser cache, which is completely harmless. None of the mentioned threats from cryptojacking, botnets or other malware situations are known to exist on a Mac, unless the user takes further action by clicking something or making a phone call to a nefarious person. JavaScript alone has so far been unable to deliver drive-by malware.

I’m unaware of any anti-virus software for Macs that addresses this issue, unless the site where these ads are running has been selectively blocked in its entirety. The only preventive action currently available is a good adblocker. Unfortunately, Safari has some limitation on how much can be done about these, so there are more effective choices available for Firefox and Chrome-based browsers, but the ones available are certainly better than nothing here.

It’s important to add that my discussions in this area related entirely to the current situation today. That could all change very quickly tomorrow, as there are very capable malware developers out there always looking for a new vulnerability and ways to exploit current ones.

We cannot dismiss the possibility of another drive-by attack on the Mac community just because there hasn’t been a known recurrence in over five years, but it does help explain why anti-malware for Mac develpers don’t make it a high priority compared to other currenty existing threats.
 


... I need to point out that malvertising does not meet the technical definition of a "drive-by." The only thing that is downloaded to the computer is the browser cache, which is completely harmless. None of the mentioned threats from cryptojacking, botnets or other malware situations are known to exist on a Mac, unless the user takes further action by clicking something or making a phone call to a nefarious person. JavaScript alone has so far been unable to deliver drive-by malware.
...
We cannot dismiss the possibility of another drive-by attack on the Mac community just because there hasn’t been a known recurrence in over five years, but it does help explain why anti-malware for Mac develpers don’t make it a high priority compared to other currenty existing threats.
That is not true. Safari has had security holes before that permitted JavaScript code to affect the machine, there are likely holes now, and certainly will be more in the future.

For example, here's an exploit from last year: A Pwn2Own exploit chain. It starts with JavaScript in Safari and ends up with kernel mode code.
 


Amazon disclaimer:
As an Amazon Associate I earn from qualifying purchases.

Latest posts