And here's a new report on Apple's refusal, despite all its privacy marketing, to provide end-to-end encryption:Yeah, I would like to use iCloud to back up my phone in real time, but so far it doesn’t look like Apple offers a secure way for me to store my iPhone data there with the tools that Apple provides.
Reuters said:Apple dropped plan for encrypting backups after FBI complained
Apple Inc. dropped plans to let iPhone users fully encrypt backups of their devices in the company’s iCloud service after the FBI complained that the move would harm investigations, six sources familiar with the matter told Reuters.
Google Researchers said:Information Leaks via Safari’s Intelligent Tracking Prevention
by: Artur Janc, Krzysztof Kotowicz, Lukas Weichselbaum, Roberto Clapis
Intelligent Tracking Prevention (ITP) is a privacy mechanism implemented by Apple’s Safari browser, released in October 2017. ITP aims to reduce the cross-site tracking of web users by limiting the capabilities of cookies and other website data.
As part of a routine security review, the Information Security Engineering team at Google has identified multiple security and privacy issues in Safari’s ITP design. These issues have a number of unexpected consequences, including the disclosure of the user’s web browsing habits, allowing persistent cross-site tracking, and enabling cross-site information leaks (including cross-site search).
This report is a modestly expanded version of our original vulnerability submission to Apple (WebKit bug #201319), providing additional context and edited for clarity. A number of the issues discussed here have been addressed in Safari 13.0.4 and iOS 13.3, released in December 2019.
Eclectic Light Co. said:What could possibly go wrong on an app first run?
In yesterday’s article, I discussed problems which can arise when first running an app downloaded from the Internet, or delivered via AirDrop, which became translocated and then locked out during its first run. Although the process of app translocation was introduced in macOS 10.12 Sierra, it continues to trip users up, and in combination with the more complex Gatekeeper checks in Catalina, may leave you baffled as to why an app won’t complete its first run successfully. This article steps through the processes involved, and explains how you can deal with problems arising in them.
The Hacker News said:Sudo Bug Lets Non-Privileged Linux and macOS Users Run Commands as Root
Joe Vennix of Apple security has found another significant vulnerability in sudo utility that under a specific configuration could allow low privileged users or malicious programs to execute arbitrary commands with administrative ('root') privileges on Linux or macOS systems.
... According to Vennix, the flaw can only be exploited when the "pwfeedback" option is enabled in the sudoers configuration file, a feature that provides visual feedback, an asterisk (*), when a user inputs password in the terminal.
To be noted, the pwfeedback feature is not enabled by default in the upstream version of sudo or many other packages. However, some Linux distributions, such as Linux Mint and Elementary OS, do enable it in their default sudoers files.
... To determine if your sudoers configuration is affected, you can run sudo -l command on your Linux or macOS terminal to find whether the "pwfeedback" option is enabled and listed in the "Matching Defaults entries" output.
... Joe Vennix last year reported a similar impact vulnerability in Sudo that could have been exploited by an attacker to run commands as root just by specifying the user ID "-1" or "4294967295."
Apple said:About the security content of macOS Catalina 10.15.3, Security Update 2020-001 Mojave, Security Update 2020-001 High Sierra
Available for: macOS High Sierra 10.13.6, macOS Mojave 10.14.6, macOS Catalina 10.15.2Impact: Certain configurations may allow a local attacker to execute arbitrary codeDescription: A buffer overflow issue was addressed with improved memory handling.CVE-2019-18634: Apple
Electic Light Co. said:Hardening and notarization finally arrive in Catalina
From today, 3 February, Catalina 10.15.3 finally reaches what Apple had intended to be its launch point: all newly-built apps and command tools for Catalina are now required to be both hardened and properly notarized. This doesn’t mean that you can’t run apps or tools which aren’t, indeed you can still run completely unsigned apps if you wish. But if an app has been signed from today onwards and you expect it to pass Gatekeeper’s full first run checks, hardening and full notarization are no longer optional.
... Over the coming weeks and months, we should finally start to see whether all this effort has been worth it, and does change the threat landscape in our favour.
Eclectic Light Co. said:Apple has pushed updates to XProtect and MRT
Apple has pushed two updates today, to the data files used by XProtect, bringing its version number to 2113, dated 5 February 2020, and to its malware removal tool MRT, bringing it to version 1.54, also dated 5 February 2020.
Apple doesn’t release information about what these updates add or change, and now obfuscates the identities of malware detected by XProtect using internal code names. Examination of the XProtect data files shows only minor amendments, with the naming of five signatures which were already in the Yara file. No new detection signatures appear to have been added at all.
Thanks for the heads-up! Running macOS 10.12.6 here. Used the SilentKnight app to get the updates and the following info:Apple has pushed out new versions of its invisible anti-malware files, XProtect and MRT. (The updates are installed on macOS 10.12.6 Sierra, despite Apple having abandoned this macOS for other security updates.)
Everything is working so far.Finding available software
Software Update found the following new or updated software:
MRTConfigData (1.54), 4100K [recommended]
XProtectPlistConfigData (2113), 68K [recommended]
Installing MRTConfigData, XProtectPlistConfigData
Done with MRTConfigData
Done with XProtectPlistConfigData
As an Amazon Associate I earn from qualifying purchases.