And here's a new report on Apple's refusal, despite all its privacy marketing, to provide end-to-end encryption:Yeah, I would like to use iCloud to back up my phone in real time, but so far it doesn’t look like Apple offers a secure way for me to store my iPhone data there with the tools that Apple provides.
Reuters said:Apple dropped plan for encrypting backups after FBI complained
Apple Inc. dropped plans to let iPhone users fully encrypt backups of their devices in the company’s iCloud service after the FBI complained that the move would harm investigations, six sources familiar with the matter told Reuters.
Google Researchers said:Information Leaks via Safari’s Intelligent Tracking Prevention
by: Artur Janc, Krzysztof Kotowicz, Lukas Weichselbaum, Roberto Clapis
Intelligent Tracking Prevention (ITP) is a privacy mechanism implemented by Apple’s Safari browser, released in October 2017. ITP aims to reduce the cross-site tracking of web users by limiting the capabilities of cookies and other website data.
As part of a routine security review, the Information Security Engineering team at Google has identified multiple security and privacy issues in Safari’s ITP design. These issues have a number of unexpected consequences, including the disclosure of the user’s web browsing habits, allowing persistent cross-site tracking, and enabling cross-site information leaks (including cross-site search).
This report is a modestly expanded version of our original vulnerability submission to Apple (WebKit bug #201319), providing additional context and edited for clarity. A number of the issues discussed here have been addressed in Safari 13.0.4 and iOS 13.3, released in December 2019.
Eclectic Light Co. said:What could possibly go wrong on an app first run?
In yesterday’s article, I discussed problems which can arise when first running an app downloaded from the Internet, or delivered via AirDrop, which became translocated and then locked out during its first run. Although the process of app translocation was introduced in macOS 10.12 Sierra, it continues to trip users up, and in combination with the more complex Gatekeeper checks in Catalina, may leave you baffled as to why an app won’t complete its first run successfully. This article steps through the processes involved, and explains how you can deal with problems arising in them.
The Hacker News said:Sudo Bug Lets Non-Privileged Linux and macOS Users Run Commands as Root
Joe Vennix of Apple security has found another significant vulnerability in sudo utility that under a specific configuration could allow low privileged users or malicious programs to execute arbitrary commands with administrative ('root') privileges on Linux or macOS systems.
... According to Vennix, the flaw can only be exploited when the "pwfeedback" option is enabled in the sudoers configuration file, a feature that provides visual feedback, an asterisk (*), when a user inputs password in the terminal.
To be noted, the pwfeedback feature is not enabled by default in the upstream version of sudo or many other packages. However, some Linux distributions, such as Linux Mint and Elementary OS, do enable it in their default sudoers files.
... To determine if your sudoers configuration is affected, you can run sudo -l command on your Linux or macOS terminal to find whether the "pwfeedback" option is enabled and listed in the "Matching Defaults entries" output.
... Joe Vennix last year reported a similar impact vulnerability in Sudo that could have been exploited by an attacker to run commands as root just by specifying the user ID "-1" or "4294967295."
Apple said:About the security content of macOS Catalina 10.15.3, Security Update 2020-001 Mojave, Security Update 2020-001 High Sierra
Available for: macOS High Sierra 10.13.6, macOS Mojave 10.14.6, macOS Catalina 10.15.2Impact: Certain configurations may allow a local attacker to execute arbitrary codeDescription: A buffer overflow issue was addressed with improved memory handling.CVE-2019-18634: Apple
Electic Light Co. said:Hardening and notarization finally arrive in Catalina
From today, 3 February, Catalina 10.15.3 finally reaches what Apple had intended to be its launch point: all newly-built apps and command tools for Catalina are now required to be both hardened and properly notarized. This doesn’t mean that you can’t run apps or tools which aren’t, indeed you can still run completely unsigned apps if you wish. But if an app has been signed from today onwards and you expect it to pass Gatekeeper’s full first run checks, hardening and full notarization are no longer optional.
... Over the coming weeks and months, we should finally start to see whether all this effort has been worth it, and does change the threat landscape in our favour.
Eclectic Light Co. said:Apple has pushed updates to XProtect and MRT
Apple has pushed two updates today, to the data files used by XProtect, bringing its version number to 2113, dated 5 February 2020, and to its malware removal tool MRT, bringing it to version 1.54, also dated 5 February 2020.
Apple doesn’t release information about what these updates add or change, and now obfuscates the identities of malware detected by XProtect using internal code names. Examination of the XProtect data files shows only minor amendments, with the naming of five signatures which were already in the Yara file. No new detection signatures appear to have been added at all.
Thanks for the heads-up! Running macOS 10.12.6 here. Used the SilentKnight app to get the updates and the following info:Apple has pushed out new versions of its invisible anti-malware files, XProtect and MRT. (The updates are installed on macOS 10.12.6 Sierra, despite Apple having abandoned this macOS for other security updates.)
Everything is working so far.Finding available software
Software Update found the following new or updated software:
MRTConfigData (1.54), 4100K [recommended]
XProtectPlistConfigData (2113), 68K [recommended]
Installing MRTConfigData, XProtectPlistConfigData
Done with MRTConfigData
Done with XProtectPlistConfigData
Eclectic Light Co. said:
NIST said:NVD - cve-2016-4606
Curl before 7.49.1 in Apple OS X before macOS Sierra prior to 10.12 allows remote or local attackers to execute arbitrary code, gain sensitive information, cause denial-of-service conditions, bypass security restrictions, and perform unauthorized actions. This may aid in other attacks.
Thanks. I was sort of thinking, however, if there was a manual workaround trick for security updates for older macOS, like 10.12.6 Sierra. It still appears to me that any security updates are definitively tied to later versions of macOS, either through terminal command, or simply through App Store Software Update.
ZDNet said:iPhone and iPad apps can snoop on everything you copy to the clipboard | ZDNet
Did you know that all the apps on your iPhone and iPad can snoop on whatever you copy to the system clipboard (called pasteboard on iOS)? A new security demo by researchers at Mysk shows how this could be used by apps to get detailed information about the user.
Threatpost said:Apple Takes Heat Over 'Vulnerable' iOS Cut-and-Paste Data
Any cut-and-paste data temporarily stored to an iPhone or iPad’s memory can be accessed by all apps installed on the specific device – even malicious ones. That data can then reveal private information such as a user’s GPS coordinates, passwords, banking data or a spreadsheet copied into an email.
No, there isn't. But it's complicated.I was sort of thinking, however, if there was a manual workaround trick for security updates for older macOS, like 10.12.6 Sierra.
Mikey Campbell said:Apple to again skip US congressional hearing on Chinese influence in tech
... Apple's willingness to kowtow to Chinese officials is often viewed as antithetical to its well-groomed image as a bastion of human rights, data privacy and free speech.
Beyond iCloud, Apple has agreed to pull controversial apps at the direction of China's government. Most recently, the company yanked HKMaps from the Chinese App Store during the recent Hong Kong protests. When pressed on the decision, the company said the app was in violation of Hong Kong law, a dubious claim considering the title's core functionality did not contravene local regulations, nor did it break rules laid out in Apple's own App Store Guidelines.
The company has a long history of removing apps in compliance with Chinese government requests. In 2017, it pulled The New York Times app and multiple VPN apps for supposed violations, while the Quartz app was likewise removed after it provided extensive coverage of the Hong Kong protests in October.
Just to be clear, XProtect and MRT updates are still provided to OS X El Capitan [10.11] and above (although there appear to be some enhancements to the Catalina versions). They are normally updated automatically if you have enabled that in System Preferences and can be manually updated with a terminal command or SilentKnight.I assume there is no way to manually update XProtect and MRT, like downloading the "latest definitions"and any issuances of updates is OS dependent ... for later versions than, say Sierra.
Apple rules covering App Store applications preclude them from being able to adequately identify and then quarantine or remove such infections. That's why all the effective anti-malware software must be distributed outside the App Store.I am curious as to why the more popular third-party apps, like Malwarebytes, do not
post in the Apple App Store....
Just FYI, while GateKeeper updates are still available for Yosemite (10.10), there's no XProtect update available for Yosemite anymore (it's simply no longer part of the update catalog - not even an old/outdated version!).Just to be clear, XProtect and MRT updates are still provided to OS X El Capitan [10.11] and above (although there appear to be some enhancements to the Catalina versions). They are normally updated automatically if you have enabled that in System Preferences and can be manually updated with a terminal command or SilentKnight.
I think this CVS is just a cumulative "Apple CVS" for all the security fixes that were applied between version 7.43.0 and 7.49.1 of Curl (Curl 7.43.0 was the latest version included in OS X 10.11, while macOS 10.12 then came with Curl 7.49.1.)There's a "high" (CVSS 7.5) vulnerability involving Curl in OS X versions prior to macOS 10.12 Sierra (and Apple isn't supporting anything prior to macOS 10.13 with security updates).
/usr/local/bin/curl -V curl 7.68.0 (x86_64-apple-darwin14.5.0) libcurl/7.68.0 OpenSSL/1.1.1a zlib/1.2.5 brotli/1.0.7 libidn2/2.3.0 libpsl/0.21.0 (+libidn2/2.3.0) libssh2/1.9.0 nghttp2/1.40.0 librtmp/2.3 Release-Date: 2020-01-08 Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps pop3 pop3s rtmp rtsp scp sftp smb smbs smtp smtps telnet tftp Features: AsynchDNS brotli GSS-API HTTP2 HTTPS-proxy IDN IPv6 Kerberos Largefile libz Metalink NTLM NTLM_WB PSL SPNEGO SSL TLS-SRP UnixSockets
I have the phone number of two family members listed as "trusted phone numbers" on my Apple ID settings. These are both iPhones so no need for SMS. I believe this would take care of your unfortunate situation (assuming the family members are nearby).... How can I prevent this from happening again in the future? Can I add a my lovely bride's different iPhone number to my account? Anything else?
Any and all tips and advice appreciated.
You can use Find My without needing 2FA - go to icloud.com/findI realized that the major problem I'm having is that now everything I need to do that requires two-factor authentication doesn't work, as my "second device" is the lost iPhone. No second number to text or call.
I can't get into iCloud to "find my iPhone".
Ladd, I recommend obtaining and then securing a Google Voice phone number. There are several commentaries available online on how to separate and remove your personal information from Google Voice after signing up for a virtual phone number.How can I prevent this from happening again in the future? ...Anything else?
Any and all tips and advice appreciated.
Perhaps that is something I can do after my current iPhone is returned or replaced. Unfortunately, any attempts to access my Apple ID generate the message "A message with a verification code has been sent to your devices. Enter the code to continue." So I can't go any further to try and add additional phone numbers.I have the phone number of two family members listed as "trusted phone numbers" on my Apple ID settings. These are both iPhones so no need for SMS. I believe this would take care of your unfortunate situation (assuming the family members are nearby).
I tried that four times yesterday, and three times it said "can't find your iPhone." Once, it showed the iPhone at the Phoenix airport, which was where the plane was going after I got off in Baltimore. I have no idea if the phone is actually there or just the last place I used it while connected to a cell tower.
Be wary of any message you get stating your phone was found. It could be scammers trying to trick you into unlocking your phone so they can reset it and resell it. With the advent of locked iPhones, this is how thieves are still able to profit from stolen (or found) iPhones.I just returned from a short trip to Arizona, [and] unfortunately, this time I left my iPhone 7 Plus in the [airplane] seatback pocket. ... Any and all tips and advice appreciated.
If you enable Family Sharing, you won't need to enter in any codes.... Whenever I try to Find My (wife's) iPhone, and it is out and about with her, I have to enter the code Apple sends to her devices, but the code always shows up on her iPad, which is at home, far away from the iPhone, which is with her.
Are you referring to 2FA using SMS to your phone number, or 2FA using an authenticator app (One-Time-Passwords)?Immediately after returning home, I realized that the major problem I'm having is that now everything I need to do that requires two-factor authentication doesn't work, as my "second device" is the lost iPhone. No second number to text or call.
Does macOS keep a Clipboard log, or does the Clipboard clear prior entries as it's repopulated with new data?The Mac/iPhone clipboard can create a security problem - just think about copying and pasting a critical password or other sensitive data and then having it silently stolen without you realizing it...
I second. Also, when I'm traveling internationally, texts going to my Google Voice number can still be retrieved via email/the GV app/the GV web site, but I might not have access to SMS texts.Ladd, I recommend obtaining and then securing a Google Voice phone number. There are several commentaries available online on how to separate and remove your personal information from Google Voice after signing up for a virtual phone number.
How are you logging in to Find My? It should never require a 2FA code. If you're using the website, you have to go to icloud.com/find, not icloud.com.Whenever I try to Find My (wife's) iPhone, and it is out and about with her, I have to enter the code Apple sends to her devices, but the code always shows up on her iPad, which is at home, far away from the iPhone, which is with her.
I doesn't keep a 'log' per se, but it does keep it in the clipboard until the next 'copy' operation (of the same type - so first copying a text password string will put it on the clipboard, and the next copy operation of any text string will "overwrite" it).Does macOS keep a Clipboard log, or does the Clipboard clear prior entries as it's repopulated with new data?
Some related info:Does macOS keep a Clipboard log, or does the Clipboard clear prior entries as it's repopulated with new data?
Eclectic Light said:Apple has pushed updates to XProtect and MRT
Apple has pushed two updates today, to the data files used by XProtect, bringing its version number to 2115, dated 5 March 2020, and to its malware removal tool MRT, bringing it to version 1.56, also dated 5 March 2020.
Apple doesn’t release information about what these updates add or change, and now obfuscates the identities of malware detected by XProtect using internal code names. Changes since the malware definitions in 2114 are small: MACOS.489e70f has been added, and MACOS.0e62876 amended slightly. Although the additional file LegacyEntitlementAllowlist.plist is included in this update, it hasn’t changed since version 2114.
As an Amazon Associate I earn from qualifying purchases.