MacInTouch Amazon link...

Apple security and privacy

Channels
Apple, Security

Ric Ford

MacInTouch
This looks like a pretty big security hole:
Wired said:
Malware Has a New Way to Hide on Your Mac
... "Once you have opened an app, you will never get a code signature check ever again on macOS," Reed says. "So even if it has been maliciously modified or damaged and the code signature is invalid, the OS will not check it again. That provides a big open window for malware persistence. If the malware can infect some of your apps that are already on disk then it can get in there and stay hidden—you’ll never think to look for it there and it can run in the background without you being any the wiser." ...
 


Thanks, guys, for helpful hints. As I did the Sierra patch on an external a while back, I am not certain, but I think I did do the macOS Post Install. Perhaps I didn't, or it did not do its thing correctly. I will give that another try. This might be a way to get an older unsupported Mac some measure of Apple support (security fixes at least).
I recently used Dosdude1's Sierra patch on a 2008 Mac Pro 3,1 with a flashed ATI Radeon HD5770 video card and internal SSD's on a Sonnet SATA III PCIe card. I did a clean install on a Samsung 860 EVO, followed the instructions and had a good result. The App Store offered to install updates to iTunes, Safari, and the Sierra 2018-004 security patch.

My usual practice under earlier Mac OSes was to download security updates and "manually" install them; I did that with the last Sierra update, and the install failed, complaining that my hardware was not supported. I then let the App Store do its thing, and that seems to have worked as expected.

This old Mac is still pretty close to adequate for what I do, and I hope to keep it in service until Apple makes the replacement I want, which is, of course, an iffy proposition.
 


I just upgraded to Safari 12 on my 2015 MacBook Pro running macOS 10.13.6. I am away from home, so this is my only computer. The upgrade deleted the 1Password extension, because "Safari no longer allows unsafe extensions".

Safari 12 refuses to install the 1Password extension from AgileBits. I have dozens of critical passwords for financial and business sites stored there that I use every day.

Is there a known solution to this? Can I downgrade back to Safari 11?
 


Safari 12 refuses to install the 1Password extension from AgileBits. I have dozens of critical passwords for financial and business sites stored there that I use every day.
I upgraded my wife's 2015 MacBook Air running macOS 10.12.6 to Safari 12. It did not complain about the 1Password extension, which is still present and functioning. It's possible that Safari acts differently under Sierra than High Sierra.
 


I just upgraded to Safari 12 on my 2015 MacBook Pro running macOS 10.13.6. I am away from home, so this is my only computer. The upgrade deleted the 1Password extension, because "Safari no longer allows unsafe extensions".

Safari 12 refuses to install the 1Password extension from AgileBits. I have dozens of critical passwords for financial and business sites stored there that I use every day.

Is there a known solution to this? Can I downgrade back to Safari 11?
Can you install the extension direct from safari-extensions.apple.com rather than from AgileBits?
 


Regarding Jim Noble's problem with the 1Password extension in Safari 12: I haven't used the extension for quite a while. I just use regular 1Password Mini in the menu bar. When it doesn't work directly to put in the ID and password, I just copy and paste. The extension is merely a shortcut; 1Password still works as it always has.

I also have some of my non-critical IDs and passwords stored in Safari, so they come up automatically.
 


I just upgraded to Safari 12 on my 2015 MacBook Pro running macOS 10.13.6. I am away from home, so this is my only computer. The upgrade deleted the 1Password extension, because "Safari no longer allows unsafe extensions".

Safari 12 refuses to install the 1Password extension from AgileBits. I have dozens of critical passwords for financial and business sites stored there that I use every day.

Is there a known solution to this? Can I downgrade back to Safari 11?
This is solved by upgrading to the latest 1Password (7.2.1) - of course if you are still on 1Password 6, there is a cost to upgrade to 1Password 7, which has the new form of extension needed for Safari 12. Currently, you need to download 1Password 7.2.1 directly, as it is not yet shown under "check for updates", unless you are using Mojave. This will change in the next few days.
 


I just upgraded to Safari 12 on my 2015 MacBook Pro running macOS 10.13.6. I am away from home, so this is my only computer. The upgrade deleted the 1Password extension, because "Safari no longer allows unsafe extensions".

Safari 12 refuses to install the 1Password extension from AgileBits. I have dozens of critical passwords for financial and business sites stored there that I use every day.

Is there a known solution to this? Can I downgrade back to Safari 11?
Not a solution for you, but I also run macOS 10.13.6 and have upgraded to Safari 12, and the extension is still present in Safari after the update. I am on an iMac 18,2 model.
 


This is solved by upgrading to the latest 1Password (7.2.1) - of course if you are still on 1Password 6, there is a cost to upgrade to 1Password 7, which has the new form of extension needed for Safari 12. Currently, you need to download 1Password 7.2.1 directly, as it is not yet shown under "check for updates", unless you are using Mojave. This will change in the next few days.
I'm still running 1Password version 6.8.8, with its extension version 4.7.3 in Safari 12 under Mojave, without problems. I believe I took a look at 1Password 7 when it became available and concluded that it didn't really offer me anything except (at the time) more eye candy and the option of a subscription licensing model (no thanks). Maybe I'll buy a new standalone license when 8.0 is released.
 


I'm still running 1Password version 6.8.8, with its extension version 4.7.3 in Safari 12 under Mojave, without problems. I believe I took a look at 1Password 7 when it became available and concluded that it didn't really offer me anything except (at the time) more eye candy and the option of a subscription licensing model (no thanks). Maybe I'll buy a new standalone license when 8.0 is released.
I am also running this combination (6.8.8, 4.7.3) with no problems under Mojave and Safari 12. I believe I had to grant some permissions on first run. But 1Password has been behaving as before.

Somehow I got upgraded to 1Password 7.2 on iOS. With iOS 12, 1Password takes advantage of the new features and is integrated much better into Safari - a big improvement in productivity.
 



This is solved by upgrading to the latest 1Password (7.2.1) - of course if you are still on 1Password 6, there is a cost to upgrade to 1Password 7, which has the new form of extension needed for Safari 12. Currently, you need to download 1Password 7.2.1 directly, as it is not yet shown under "check for updates", unless you are using Mojave. This will change in the next few days.
I just upgraded to Safari 12 on my 2015 MacBook Pro running macOS 10.13.6. I am away from home, so this is my only computer. The upgrade deleted the 1Password extension, because "Safari no longer allows unsafe extensions".

Safari 12 refuses to install the 1Password extension from AgileBits. I have dozens of critical passwords for financial and business sites stored there that I use every day.

Is there a known solution to this? Can I downgrade back to Safari 11?
If you are running 1Password 6 you might try installing the Safari extension from here:

 



This looks like a pretty big security hole:
Malware Has a New Way to Hide on Your Mac
In the article Thomas Reed points out that applications can easily perform a code signature check at every launch and avoid the issue. According to Thomas and the article, most apps don't check the signature on every launch and therein lies a problem.

Apple and Gatekeeper, on the other hand, try to protect the user with a code check on the app's initial launch [but] decided not to check the signature on subsequent launches because [I think] users detest the constant nags. I haven't checked Apple docs on this topic recently, but if I remember correctly, Apple strongly suggested including all the signature checks in the app's code.
 


I just upgraded to Safari 12 on my 2015 MacBook Pro running macOS 10.13.6. I am away from home, so this is my only computer. The upgrade deleted the 1Password extension, because "Safari no longer allows unsafe extensions".

Safari 12 refuses to install the 1Password extension from AgileBits. I have dozens of critical passwords for financial and business sites stored there that I use every day.

Is there a known solution to this? Can I downgrade back to Safari 11?
I still had the old 1Password extension (4.7.x) loaded after updating to Safari 12 on macOS 10.13.6 with 1Password 7.2.1, and was having some functionality issues. I recalled that AgileBits says the separate extension is no longer necessary. But it had not appeared.

So I uninstalled the 4.7.x extension from Safari 12, downloaded the latest 1Password installer (7.2.1). I closed Safari and re-installed 1Password. When I reopened Safari 12, the 1Password extension was present under Preferences > Extension. The version information says "1Password 7.2.1 from 1Password 7". Seems to work as in days of old.
 


Ric Ford

MacInTouch
iOS 12.0.1 is an update that patches security holes for Apple's 64-bit iPhones, iPads and iPods:
Apple said:
About the security content of iOS 12.0.1
Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation
VoiceOver
A local attacker may be able to view photos and contacts from the lock screen

Quick Look
A local attacker may be able to share items from the lock screen
Apple also patched security flaws in its Windows iCloud software:
Apple said:
About the security content of iCloud for Windows 7.7
  • A malicious website may be able to execute scripts in the context of another website
  • A malicious website may cause unexepected cross-origin behavior
  • A malicious website may exfiltrate image data cross-origin
  • Cross-origin SecurityErrors includes the accessed frame’s origin
  • Processing maliciously crafted web content may lead to arbitrary code execution
  • Unexpected interaction causes an ASSERT failure
 


Ric Ford

MacInTouch
Apple apparently posted invisible security updates on Oct. 5 (listed on my macOS 10.12.6 system):

XProtect version 2100
Gatekeeper version 155
 


I found those updates when I was checking the Mojave install:
Code:
Gatekeeper Configuration Data: 155 2018-09-28 19:56:21 +0000
Gatekeeper Configuration Data: 140 2018-09-28 19:56:19 +0000
XProtectPlistConfigData: 2100 2018-09-28 19:56:16 +0000
Checked by SystHist at: 2018-10-10 18:56:54 +0000
 


Apple apparently posted invisible security updates on Oct. 5:
XProtect version 2100
Gatekeeper version 155
Still on El Capitan [OS X 10.11], I did get those same versions of XProtect 2100 on Sept. 28 and Gatekeeper 155 Sept 25. I did not expect Apple to put any out for El Cap once Mojave was released. Those might the last El Cap might ever get.
 



No, Apple still keeps Mavericks and above up-to-date with XProtect updates and Mountain Lion and above for Gatekeeper.
Thanks for info (where'd you find that policy statement?). That, at least, is some good news for those of us with older, still-working Macs. I thought there would be no security updates or bug fixes for unsupported older OS X versions (as Apple has supported in the past only two versions back from the current shipping version).
 


where'd you find that policy statement?
Surely you jest. I have never seen a public-facing policy on either background security and database updates or OS updates, so all we have to go on is observation. I suspect those policies differ because background updates don't require testing, since they only involve data updates, whereas bug and security updates are code changes of processes that must be tested before release, which require significant engineering resources.

In any case, my statement above comes from checking the Software Update Catalog and observing what is currently being provided for each OS for Mac OS X 10.6.8 and above.
 


Apple apparently posted invisible security updates on Oct. 5 (listed on my macOS 10.12.6 system):
XProtect version 2100
Gatekeeper version 155
Thanks, Ric and James, for mentioning LockRattler, which checks for Apple’s invisible security updates. The terminal commands have always worked in the past, but since I upgraded to Sierra, the softwareupdate --background-critical is not updating these. LockRattler did work. Eclectic Light Company (Howard Oakley) does have a lot of other useful tools. These days, I try to avoid installing anything, not knowing if there are nefarious implications, but I’m trusting these.

Taccy 1.0b5, which explores an application’s privacy access, is also helpful. Mousing over any checkbox in any category, like Calendars and Contacts displays “shows whether uploaded to iCloud”, which sounds wrong. The manual doesn’t address this, and it is a beta. It’s a good peek into what an application can access.
 


Ric Ford

MacInTouch
Taccy 1.0b5, which explores an application’s privacy access, is also helpful.
Thanks for pointing that out! I just tried it in macOS Sierra with some random apps and was very surprised to see that the Swinsian music player accessing my Contacts. Yet System Preferences > Security & Privacy > Privacy > Contacts doesn't list it, and I'm confused about what's going on, exactly. Even more interesting is what Howard found with Apple's App Store app in Mojave:
Taccy documentation said:
Finally, Apple’s App Store app in Mojave was again built against the 10.14 SDK using an Apple internal version of Xcode. It contains no usage strings at all, both public and private entitlements to access the Camera, and a private entitlement to the address book.
 


Ric Ford

MacInTouch
Here's more on the very serious issue of forced iPhone unlocking:
And here's an interesting, related issue:
Motherboard said:
Cops Told ‘Don’t Look’ at New iPhones to Avoid Face ID Lock-Out
As Apple continues to update its iPhones with new security features, law enforcement and other investigators are constantly playing catch-up, trying to find the best way to circumvent the protections or to grab evidence. Last month, Forbes reported the first known instance of a search warrant being used to unlock a suspect’s iPhone X with their own face, leveraging the iPhone X’s Face ID feature.

But Face ID can of course also work against law enforcement—too many failed attempts with the ‘wrong’ face can force the iPhone to request a potentially harder to obtain passcode instead. Taking advantage of legal differences in how passcodes are protected, US law enforcement have forced people to unlock their devices with not just their face but their fingerprints too. But still, in a set of presentation slides obtained by Motherboard this week, one company specialising in mobile forensics is telling investigators not to even look at phones with Face ID, because they might accidentally trigger this mechanism.
 


Ric Ford

MacInTouch
An interesting, and somewhat mysterious, Apple ID problem in China:
Reuters said:
China's Alipay says stolen Apple IDs behind thefts of users' money
Ant Financial’s Alipay, the operator of one of China’s top two mobile payment apps, said hackers have taken an unknown amount of money from accounts using stolen Apple Inc IDs and the issue remains unresolved despite reaching out to the U.S. giant.

Alipay said in a post on its Toutiao social media account on Wednesday that users who have linked their accounts using Apple IDs should lower transaction limits.

“Alipay has contacted Apple many times...and the issue has not been resolved,” the post said.
 


I have a new problem that I'm sure someone here has solved.

I woke up this morning with a message that my Apple ID was being used to sign in to a computer far, far away, and to change my password if, blah, blah, blah.

So I did.

After which nothing tied to my old password worked - as it should be, right? Except - when prompted to enter the new password, that did not work. Frustrated, I tried that enough times to lock the account and for the system to demand a new, new password.

So I did that.

Now, my iPhone is asking for a password (for iCloud related functions) every 15 minutes or so, but - you guessed it - the new password keeps being denied. I don't dare keep trying - and the new, new password, which worked earlier today to sign in to iCloud now no longer works.

Any ideas about what's going on here, and how to set up a new, new, new iCloud/Apple ID password (are those the same thing?), and then to sync them across all devices?

Thanks.
 


I woke up this morning with a message that my Apple ID was being used to sign in to a computer far, far away, and to change my password if, blah, blah, blah.
So I did....
How did you go about it? Did you click on a link included with the message, or did you do the correct thing by following these instructions:

If the former, you may well have been phished for your Apple ID and old password. Such messages are extremely common these day,s as these credentials are highly sought and worth a log of bitcoins on the dark web.
 


Amazon disclaimer:
As an Amazon Associate I earn from qualifying purchases.

Latest posts