Google Chrome security patches

Google Chrome has another security update today with patches for high-priority vulnerabilities in the latest release.

The cross-platform web browser from Google Inc. utilizes a hidden auto-update daemon and agent that wrecked Mac systems and wreaked other havoc, plus other proprietary Google additions on top of its open-source platform.

Google Chrome 83.0.4103.97 is a free download for OS X 10.10 and later, as well as Linux and Windows.

Google Chrome for iOS 83.0.4103.88 is a free download for iOS 12 and up.

Apple additional security patches

In addition to a big batch of macOS security and bug fixes, Apple issued security patches for its Safari web browser (for macOS 10.13 and later), plus Apple Windows software, as well as tvOS and delayed notes about recent iOS and watchOS security patches.

Google Chrome major security update

Google Chrome has a major security update today in the latest release with patches for high-priority vulnerabilities (38 in all) plus a “massive security overhaul,” as BleepingComputer reports:

Google has released Chrome 83 today, May 19th, 2020, to the Stable desktop channel, and it includes massive security and privacy enhancments as well as some long awaited features. In this massive release, users are getting a redesigned Privacy and security settings section, better control over cookies, a new Safety Check feature, improved DoH settings, new Enhanced Safe Browsing feature. Tab Groups, and more.

The cross-platform web browser from Google Inc. utilizes a hidden auto-update daemon and agent that wrecked Mac systems and wreaked other havoc, plus other proprietary Google additions on top of its open-source platform.

Google Chrome 83.0.4103.61 is a free download for OS X 10.10 and later, as well as Linux and Windows.

Google Chrome for iOS 81.0.4044.124 is a free download for iOS 12 and up.

Adobe Acrobat/Reader security flaws critical

Critical security flaws in Adobe Acrobat Reader and Adobe Acrobat allow takeover of a victim’s Mac with all-powerful “root” priviliges. Adobe issued patches for this and also for security flaws in Adobe’s DNG SDK software. See MacInTouch discussions for important details about prerequisites for Adobe’s patches.

Security Flaws in Adobe Acrobat Reader Allow Malicious Program to Gain Root on macOS Silently
Today, Adobe Acrobat Reader DC for macOS patched three critical vulnerabilities (CVE-2020-9615, CVE-2020-9614, CVE-2020-9613) I reported. The only requirement needed to trigger the vulnerabilities is that Adobe Acrobat Reader DC has been installed. A normal user on macOS (with SIP enabled) can locally exploit this vulnerabilities chain to elevate privilege to the ROOT without a user being aware. In this blog, I will analyze the details of vulnerabilities and show how to exploit them.

Adobe Acrobat and Reader | APSB20-24
Adobe has released security updates for Adobe Acrobat and Reader for Windows and macOS. These updates address critical and important vulnerabilities. Successful exploitation could lead to arbitrary code execution

Adobe DNG SDK | APSB20-26
Adobe has released an update for the Adobe DNG Software Development Kit (SDK) for Windows and macOS. This update resolves multiple Heap Overflow and Out-of-Bounds Read vulnerabilities that could lead to  Remote Code Execution and Information Disclosure respectively.

Signal

Signal is a secure, cross-platform communications system that offers encrypted voice calls, text messaging and group chat, video calls and the ability to send a photo, video or document.

Other features include a simple user interface (especially in comparison with Apple’s Messages app), and good performance, even over limited bandwidth connections. The app can communicate with other Signal users it finds via your iPhone Contacts after you activate your phone number on the system. (See Signal support pages for more details.)

Signal Private Messenger 3.6.1 is a free, open-source download for iOS 10 and up.

Signal Desktop 1.32.1 is a free app for OS X 10.10 and up, Linux (Debian-based) or Windows, linking to your iPhone Signal account (with the phone scanning a QR code that’s displayed on the Mac screen).

As an Open Source project supported by grants and donations, Signal can put users first. There are no ads, no affiliate marketers, no creepy tracking. Just open technology for a fast, simple, and secure messaging experience.

Discussions

Backup notes talk about TIme Machine issues and macOS process priorities, Time Capsule hard drive compatibility, ChronoSync, etc.

MacInTouch Community discussions also include the following topics (among others):

BusKill

BusKill is a simple system/method from Michael Altfield for protecting your data from laptop thefts, etc.

Let’s consider a scenario: You’re at a public location (let’s say a cafe) while necessarily authenticated into some super important service (let’s say online banking). But what if–after you’ve carefully authenticated–someone snatch-and-runs with your laptop? Maybe you can call your bank to freeze your accounts before they’ve done significant financial harm. Maybe you can’t. Or maybe your laptop was connected to your work VPN. In less than 60 seconds and with the help of a rubber ducky, the thief could literally cause millions of dollars in damages to your organization. Surely there must be some solution to trigger your computer to lock, shutdown, or self-destruct when it’s physically separated from you! There is: I call it BusKill. Surprisingly, I couldn’t find a low-tech solution that implements a laptop kill cord, so I decided to build one myself for ~$20 and a simple udev rule.