Login Register
MacInTouch Home Page MacInTouch Discussions

MacInTouch Amazon link...
Apple security
 


2017-09-27 at 12:05 #25737   (41)
(2017-09-26 at 18:51)Ric Ford wrote:  
(2017-09-26 at 15:55)George wrote:  ... If Ric is correct, and I've found only evidence to support his conclusion and none to contradict it, Apple just threw Sierra 10.12 under the bus....
... To say this is "unacceptable" would be a gross understatement...
Time for all readers of this forum to flood Apple feedback with a complaint about lack of security updates for Yosemite, El Cap, and Low Sierra.

  https://www.apple.com/feedback/

This is beyond irresponsible of Apple. Let's go with arrogant or condescending towards its Mac OS X customer base. It reeks of Equifax having a patch for the vulernability in its database for months without implementing it, then getting hacked big time , placing 145 million people in financial jeopardy with almost no recourse.

Is it going to take a massive hack of OS X 10.10 - 10.12 users for Apple to acquiesce? I hope not...


2017-09-27 at 12:20 #25740   (42)
(2017-09-26 at 14:56)David Charlap wrote:  No word (yet) about what those bug fixes actually are.
Here's what US-CERT says:

Apple has released iOS 11.0.1 to address vulnerabilities in previous versions of iOS. Exploitation of some of these vulnerabilities could allow a remote attacker to take control of an affected system.

US-CERT encourages users and administrators to review the Apple security page for iOS 11.0.1 (link is external) and apply the necessary update.
But the Apple security page linked to in the CERT announcement only says "iOS 11.0.1 includes the security content of iOS 11."


Steven May Show this Post
2017-09-27 at 13:17 #25757   (43)
Steven May
(2017-09-27 at 03:29)alvarnell wrote:  ...but I will add that this is not at all unprecedented...

My only guess is that Apple wants all users with Macs capable of running High Sierra to take advantage of High Sierra's security features...
Unprecedented or not is irrelevant. I agree with Ric that those implementing policy at Apple are not looking out for the folks.

"Security" is an illusion. When governments, banks, and credit reporting bureaus are getting hacked on a daily basis, what makes you think little Mac systems are secure? Apple puts out new systems and then immediately puts out security "fixes". And then keeps issuing security fixes, until they decide not to any more. Was Snow Leopard ever secure? Nope.

Security is a marketing illusion that Apple uses to sell more stuff.


2017-09-27 at 19:09 #25818   (44)
It's surprising nobody has commented on Apple's error regarding the version number for Lion on their "About the security content of macOS High Sierra" webpage. They state repeatedly "OS X Lion 10.8". I've always known Lion to be version 10.7!

Alternatively, the number might not be the error, and what they meant was Mountain Lion.

I'm curious to see how long it will take Apple to correct this error.


2017-09-27 at 22:03 #25841   (45)
George
(2017-09-27 at 19:09)ScottBever wrote:  It's surprising nobody has commented on Apple's error regarding the version number for Lion on their "About the security content of macOS High Sierra" webpage. They state repeatedly "OS X Lion 10.8". I've always known Lion to be version 10.7!
Alternatively, the number might not be the error, and what they meant was Mountain Lion.
I'm curious to see how long it will take Apple to correct this error.
Hey, Scott, Ric and I talked about that "off the record." It's a pretty puzzling error. A last gasp of Bing search on Siri before Google returned?

Whatever. While the error may be a sign the Titanic has hit the iceberg, I'm more concerned with the substance than what's probably an oversight or typo. In releasing Yosemite 10.10.3 to fix "rootpipe," Apple tossed every earlier version overboard. So, if Apple isn't providing security updates for versions earlier than "High Sierra," this isn't the first time.

Keeping with the nautical motif, we're between the Devil and the Deep Blue Sea. Keep running systems with publicized open vulnerabilities, or jump ship to a new OS version that hasn't passed its sea trials? I'm concerned about APFS force-converting SSDs. There's always leaks that take seem to get plugged in a later dot version. And the danger of valuable software and peripherals being left on the dock when sailing on a new vessel.


2017-09-28 at 10:26 #25882   (46)
(2017-09-27 at 12:05)Dewey V wrote:  Time for all readers of this forum to flood Apple feedback with a complaint about lack of security updates for Yosemite, El Cap, and Low Sierra.
  https://www.apple.com/feedback/
This is beyond irresponsible of Apple. Let's go with arrogant or condescending towards its Mac OS X customer base. It reeks of Equifax having a patch for the vulernability in its database for months without implementing it, then getting hacked big time , placing 145 million people in financial jeopardy with almost no recourse. Is it going to take a massive hack of OS X 10.10 - 10.12 users for Apple to acquiesce? I hope not...
I just left feedback for Apple, and urge all of you who are concerned about this to do likewise.


2017-09-28 at 13:25 #25920   (47)
MikeN
(2017-09-28 at 10:26)Kathryn Jenkins wrote:  
(2017-09-27 at 12:05)Dewey V wrote:  Time for all readers of this forum to flood Apple feedback with a complaint about lack of security updates for Yosemite, El Cap, and Low Sierra.
  https://www.apple.com/feedback/
This is beyond irresponsible of Apple. Let's go with arrogant or condescending towards its Mac OS X customer base. It reeks of Equifax having a patch for the vulernability in its database for months without implementing it, then getting hacked big time , placing 145 million people in financial jeopardy with almost no recourse. Is it going to take a massive hack of OS X 10.10 - 10.12 users for Apple to acquiesce? I hope not...
I just left feedback for Apple, and urge all of you who are concerned about this to do likewise.
This feedback channel appears to be a black hole. I keep hearing that "Apple listens". To its customers? Evidently not. In all those years, not a single bug report, feature request or complaint got an answer.

The list of serious bugs and security vulnerabilities left open in older systems keeps growing at a rate that I do not know how loud I will have to laugh if I hear the next time that Apple supports an OS two versions back.

Use the published emails of the execs.
Use the developer bug reporting channel.
That way you might at least receive an answer. Even if it is the usual empty psycho babble now cultivated there.

"Apple, this is broken."
"I am sorry that you feel that it is broken, but it works as designed."
"So – it is broken by design?"


2017-09-28 at 18:51 #25963   (48)
George
Is "Apple Feedback" ineffective? Is it a "black hole?"

I really do remember being excited about improvements back in the earlier days of OS X when Apple introduced new versions. I bought an iBook "G3 Snow" in 2001 that delivered with, I think, Mac OS X 10.0.4, but to do anything it needed the old fashioned Mac OS 9. Updated through Tiger, 10.4.11, hugely better than the original, and useful well into 2007, or even later, as I've lost track of when Tiger ceased receiving security updates.

Think Tim Cook and his fellow executives aren't aware that Apple is condemning Sierra and El Cap to the scrapheap by requiring installation of 10.13 "High Sierra" to patch vulnerabilities?

There's a possibility Apple will release patches for Sierra and maybe El Cap in the "near future." If so, we won't be told ahead of time, as that would lower the conversion rate. In the meantime, those of us who haven't moved along are exposed to vulnerabilities Apple told the hacking community are "open."

Can't imagine any amount of feedback demanding security updates for Sierra would move the needle.


2017-09-29 at 12:50 #26007   (49)
Dan Goodin wrote:An alarming number of patched Macs remain vulnerable to stealthy firmware hacks
   An alarming number of Macs remain vulnerable to known exploits that completely undermine their security and are almost impossible to detect or fix even after receiving all security updates available from Apple, a comprehensive study [PDF] released Friday has concluded.
   The exposure results from known vulnerabilities that remain in the Extensible Firmware Interface, or EFI, which is the software located on a computer motherboard that runs first when a Mac is turned on. EFI identifies what hardware components are available, starts those components up, and hands them over to the operating system. Over the past few years, Apple has released updates that patch a host of critical EFI vulnerabilities exploited by attacks known as Thunderstrike and ThunderStrike 2, as well as a recently disclosed CIA attack tool known as Sonic Screwdriver.
Duo Labs wrote:The Apple of Your EFI: Mac Firmware Security Research
   We are really excited to give a talk at Ekoparty in Buenos Aires on September 29th, 2017 covering some recent research we have done on the security support being given to Apple’s EFI firmware. To accompany the conference talk, we are also releasing a technical paper that goes into greater detail covering the data we collected during our analysis.
   In addition to the paper, we’re also pleased to be able to release some of the tooling and APIs we have developed during this work with the aim of helping Apple Mac users and admins get better visibility to the state of the EFI their Mac systems are running and any potential problems there may be. This blog post summarizes some of the main areas of the research and interesting things we found during our analysis and acts as an accessible introduction to the technical paper which can be downloaded from the link below.

...What is the TL;DR of What We Found?

Our research has shown there are considerable discrepancies in how Apple provides security support to its EFI firmware as compared to how they support the security of the OS and software. These discrepancies come in a variety of forms that are related but distinct. A high-level summary of what our analysis highlighted is summarized below:
  • There was a surprisingly high level of discrepancy between the EFI versions we expected to find running on the real-world Mac systems and the EFI versions we actually found running. This creates the situation where admins and users have installed the latest OS or security update, but for some reason, the EFI was not updated. Compounding this issue is the lack of notifications provided to the user to inform them that they are running an unexpected version of EFI firmware. This means that users and admins are often blind to the fact that their system’s EFI may continue to be vulnerable.

  • The security support provided for EFI firmware depends on the hardware model of Mac. Some Macs have received regular EFI updates, some have only been updated after particular vulnerabilities have been discovered, others have never seen an update to their EFI.

  • The security support provided for EFI firmware also depends on the version of the OS a system is running. A Mac model running OS X 10.11 can receive distinctly different updates to its EFI than the same Mac model running macOS 10.12. This creates the confusing situation where a system is fully patched and up to date with respect to its software, but is not fully patched with respect to its EFI firmware - we called this software secure but firmware vulnerable.

  • For the main EFI vulnerabilities that were acknowledged by Apple and patched during the time of our analysis, there were surprising numbers of models of Macs that received no update to their EFI despite continuing to receive software security updates. Further compounding this issue is the difficulty for end users to find out exactly which systems are receiving EFI updates (in a particular, an OS or security update) as well as which security issues a particular version of EFI may be vulnerable to.

  • Our analysis also highlighted a number of other discrepancies related to the security support provided to EFI firmware. One example being a security update released in early 2017 that appears to erroneously contain older versions of EFI firmware than the security update that preceded it in late 2016. There were also a number of instances where individual models of Mac stood out in their absence of receiving EFI updates despite closely-related systems receiving updates. Some of these findings raise questions around the level of QA being applied to the EFI firmware components of Apple’s OS and security updates.


2017-09-29 at 14:27 #26017   (50)
Guest
(2017-09-28 at 13:25)MikeN wrote:  
(2017-09-28 at 10:26)Kathryn Jenkins wrote:  I just left feedback for Apple, and urge all of you who are concerned about this to do likewise.
This feedback channel appears to be a black hole. I keep hearing that "Apple listens". To its customers? Evidently not. In all those years, not a single bug report, feature request or complaint got an answer.
   The list of serious bugs and security vulnerabilities left open in older systems keeps growing at a rate that I do not know how loud I will have to laugh if I hear the next time that Apple supports an OS two versions back.
   Use the published emails of the execs.
   Use the developer bug reporting channel.
That way you might at least receive an answer. Even if it is the usual empty psycho babble now cultivated there.
"Apple, this is broken."
"I am sorry that you feel that it is broken, but it works as designed."
"So – it is broken by design?"
Feedback to Apple will not get a response. It is a one-way channel, but it does get read. Whether or not anything comes of it will depend on the quality of the suggestion and Apple's business plans. Even if it does get acted upon, do not expect it to happen quickly - I had a feedback suggestion show up three years later. Not sure if it really was in response to my suggestion. Note that postings to Apple Forums are not feedback and generally are not viewed by anyone at Apple.

Bug reports will occasionally get a response if Apple determines they need more information. Keep in mind that usually bugs are reported by many people, and it is likely that you will not be the one contacted for more information in the rare case Apple needs it. Most likely, you will see your bug listed as a duplicate, and all the duplicate bug reports will give Apple enough information to resolve the problem, if it is a problem in their view. I have actually been contacted by Apple about a bug report I filed, so I know that they get looked at and acted upon, eventually. You are more likely to see a response or questions if you are reporting an issue with a new feature, it seems.

I am not sure what happens with reports filed as part of the public betas. My guess is they go into the same queue as the bug reports, but perhaps at a slightly higher priority for review.

Regarding bug reports - higher quality bug reports are more likely to get acted upon. If the review cannot tell what the problem is in the first reading, it is likely that the report will be discarded. This is true at all companies, not just Apple. Clear descriptions, steps to reproduce, expected and actual results, and a reason why the actual result is a problem, along with logs, screen shots, and system information are all critical. If you are not taking at least 30 minutes to an hour to file the report, then you likely are not giving the reviewers and engineers enough information to identify and fix the problem.

As a software developer and engineering manager for a variety of companies (not including Apple, yet), I can easily tell if a problem report has enough information to make it worth my or my staff's time to look into a report. If there is not enough information present, I will toss the report. There is no point having an engineer spend time trying to figure out a bug report when there are plenty of properly reported bugs they can fix or new features to work on.


2017-09-30 at 13:54 #26078   (51)
George
Responding to #26007 about insecure firmware: I've always felt it better (a lesson my IT Pro wife taught me) to let "first adopters" report back from "the bleeding edge" before updating production machines.

For that reason, I've kept auto-update off, and updated through downloaded Combo updates. Since I learned how to build USB installers, I've downloaded one and used the installer stick to update a variety of Macs, Airs, Pros, Minis, iMacs, all from one source. Without auto-updates on, isn't that an end-around "firmware updates"?

Wouldn't "enterprises" follow a similar strategy? I know many use JAMF Pro to manage Apple products.
Wouldn't these factors explain ". . . a surprisingly high level of discrepancy between the EFI versions we expected to find running on the real-world Mac systems and the EFI versions we actually found running."

FYI: There's a JAMF "Nation" Forum that can offer Mac insights to regular users:
   https://www.jamf.com/jamf-nation/


2017-09-30 at 16:01 #26084   (52)
Guest
(2017-09-30 at 13:54)George wrote:  Responding to #26007 about insecure firmware: I've always felt it better (a lesson my IT Pro wife taught me) to let "first adopters" report back from "the bleeding edge" before updating production machines.
That advise holds true well beyond the field of computers - why they call it "bleeding edge" - though, sometimes there is an immediate need which forces adoption quicker than testing allows.

For that reason, I've kept auto-update off, and updated through downloaded Combo updates. Since I learned how to build USB installers, I've downloaded one and used the installer stick to update a variety of Macs, Airs, Pros, Minis, iMacs, all from one source. Without auto-updates on, isn't that an end-around "firmware updates"?
It has been rare of late that Apple has released a standalone firmware update. Instead, they have been embedded into OS version and security updates. If you use the program Pacifist, you can dig through the packages to see what all is being installed.

Assuming you are installing all such updates Apple is putting out, your firmware should be up-to-date. Many who are not up-to-date with their firmware are more than likely still running older OS versions. For example, a 2012 Mac Mini running a fully updated El Capitan is going to be running an older firmware than the same computer running a fully updated Sierra or High Sierra. This is because Apple released security and firmware updates which did not make it back down to El Capitan, and Apple does not provide a way to get just the firmware update in some cases.

In the Mac Mini example, the last version of firmware available for download is MM61.0106.B0A, as part of Mac EFI Security Update 2015-002, while if you are running a fully patched macOS Sierra 10.12.6, you will have MM61.0106.B1F.

Mac mini EFI Boot ROM Updates

Wouldn't "enterprises" follow a similar strategy? I know many use JAMF Pro to manage Apple products.
Wouldn't these factors explain ". . . a surprisingly high level of discrepancy between the EFI versions we expected to find running on the real-world Mac systems and the EFI versions we actually found running."

FYI: There's a JAMF "Nation" Forum that can offer Mac insights to regular users:
   https://www.jamf.com/jamf-nation/
A well-run enterprise, though policies will vary widely due to the needs of the corporation, should be all over this. In fact, with products such as Jamf, Casper (now Jamf Pro) and even Apple's Remote Desktop, a well-run enterprise will be running reports looking for such discrepancies.

Unless you are in a bring-your-own-device (BYOD) environment, where the rules of the game are a bit different, you are going to have a strong grasp of what is in your inventory and on your networks. It is also rare you buy "one" of anything, instead buying in bulk. You are also, more than likely, going to update these within the same window of time as well. So, variations within a report of the same device will standout.

In the past, we would have labs of Macs which would need to be updated with a major OS update. These would sometimes include a firmware update. We would push the update out to these computers and run reports afterwards. Would not be uncommon for the firmware not to update on one or more computers for unknown reasons. We would repush the update again to those specific machines. If it still failed to update all components of the upgrade, these devices would be pulled to the workbench for further inspection. Usually, it was better to just wipe the device and reimage than it was to try and diagnose.


2017-09-30 at 20:40 #26094   (53)
George
Back with a counter-point to #26084:

Perhaps I should have been clearer. The multinational giant corporations where my wife worked I.T. did not send out any updates until the consequences of the updates had been thoroughly tested. Windows 7 came very late to her, because important software relied on Microsoft's proprietary divergences from standards in Internet Explorer.

In my small workplace, I don't like to "update" systems that are working just fine for the sake of a new "feature," such as Siri voice search on the desktop or Safari "intelligent tracking prevention." Being "driven" by Apple security update practice to apply general updates that change how and what Macs do, with note they seem increasingly insistent on telemetry, is more than irritating.

Am I wrong to presume enterprises with many Macs are more concerned with first testing updates to see what they might break, and the data they may phone home to Apple, than with applying them ASAP?


2017-10-01 at 00:23 #26098   (54)
(2017-09-30 at 20:40)George wrote:  Perhaps I should have been clearer. The multinational giant corporations where my wife worked I.T. did not send out any updates until the consequences of the updates had been thoroughly tested. Windows 7 came very late to her, because important software relied on Microsoft's proprietary divergences from standards in Internet Explorer.
Policies like this vary from company to company.

One former employer did just this. They were a Windows shop, but they configured every computer to completely disable access to Windows Update. Instead, they used an HP Enterprise software distribution system to push updates (to both Windows and apps) when the IT department determined them to be necessary. Some (like zero-day security updates) got pushed fairly quickly, while others might wait months. Some things (like Java, which was used extensively by corporate apps) might wait for a long time, to ensure that updates don't break those corporate apps.

Another employer simply set up our PC's to auto-update with the normal mechanism. They set up an update server on our domain so we don't end up all saturating external network connectivity, but we would pretty much get every update soon after Microsoft released them.

As a developer/engineer, I definitely prefer the latter - I want to get all the updates. I'll deal with breakage on those rare cases when it happens. But I completely understand IT's desire for the former, since they are the ones most users will complain to (and the ones the corporate bureaucracy will blame) if an update breaks something important.


2017-10-01 at 03:48 #26105   (55)
Guest
(2017-09-30 at 20:40)George wrote:  Am I wrong to presume enterprises with many Macs are more concerned with first testing updates to see what they might break, and the data they may phone home to Apple, than with applying them ASAP?
I will attempt to give you a response to the above. Looking back, I apologize for the length of these posts. Felt the content was in need of proper context. Others may chime in with more detail or to provide rebuttal to my commentary.

Things have changed a bit, especially lately, as it pertains to supporting Mac computers due to increased security concerns and complexity of the macOS. For Macs our entity owns and controls, we still do not allow any installation of a major macOS upgrade release until it reaches version x.x.3. No scientific reason, just something which has worked for us. Believe that rule dates back to MacOS 10.4 Tiger. Usually amounts to three or four months after Apple makes their announcements and rolls out in the September/October timeframe. Gives us time for our testing, for others to find the problem areas, and to allow Apple to fix any major problems. We do not run nor participate in the beta program. Updates, from version x.x.3 to x.x.4 as an example, are usually sent out less than two weeks after they are available. Security updates and similar go out in under five days. Each is less likely than the previous to cause any major problems. Firmware updates rarely cause any issues. Upgrades break things, updates fix things, is our general rule of thumb.

App updates, especially those from Apple, are another story. Those are more than likely to have features added, changed, or missing. Even with incremental version changes.

As for data being phoned home to Apple, much of that has been: turned off via settings, though that is getting tougher; pointed to internal servers, also getting tougher; blocked by our firewalls; or going out over a port not considered an issue, too difficult to block or causes a problem otherwise.

Please note that this also has an impact on our purchasing strategy for replacement equipment. Since we know when Apple ships new OS releases, we do not normally order newly announced and shipping hardware from Apple between September and February. We know these will normally come with new the OS installed and may not work with the previous version we are still running.

I have spoken with numerous IT peers over the many years at various conferences, training and trade show events. Do not believe much of the above framework changes widely or solely with the number of computers being supported. That is probably more dependent on the size of the support staff, the role they play in the larger scheme of things, and the complexity and specialty of the software being run. Corporate and IT department philosophies can dictate much of this. Also, more shops are going BYOD - why I mentioned it previously. That greatly changes the role of IT. Just try telling employees they cannot have the latest anything when they are making the purchase. And since those individuals are also the admins for their own devices, they are more likely to either install updates immediately when available, or install nothing at all.

Have seen many shops where everything the company is doing is in the cloud, and runs solely out of a web browser. Combined with Google apps (G Suite) or Office 365, there is little the IT department needs to concern themselves with beyond providing UserIDs, basic training, and general guidance. The need to test updates is something not even considered, beyond what browsers and browser versions are being supported.


2017-10-01 at 13:09 #26126   (56)
George
Thanks to David Charlap in #26098 and "Guest" in #26105 for insights into how enterprises manage Mac updates. The quote below is from Guest's post.

Things have changed a bit, especially lately, as it pertains to supporting Mac computers due to increased security concerns and complexity of the macOS. For Macs our entity owns and controls, we still do not allow any installation of a major macOS upgrade release until it reaches version x.x.3. No scientific reason, just something which has worked for us. Believe that rule dates back to MacOS 10.4 Tiger. Usually amounts to three or four months after Apple makes their announcements and rolls out in the September/October timeframe. Gives us time for our testing, for others to find the problem areas, and to allow Apple to fix any major problems. We do not run nor participate in the beta program.
The problem with waiting until v.3 before installing "High Sierra" is the lengthy list of security updates at this time unique to 10.13.

Betas? From what I've read, never having tested them, the "Golden Master" is likely to differ enough that testing would yield, at best, mixed results, thus supporting "perceived knowledge" - wait for .3

I had extended waiting until just before the next assumed version release to move into the immediate past version. e.g., I'd just moved from El Cap to Sierra and started testing to confirm the expensive printers used by our graphic artist continue to work.

Driven by "security," or lack therof, will be testing printers on "High Sierra" instead. Very bad timing as our fiscal year tax returns are due soon and I'd removed Microsoft Office 2011 anticipating its EOL this month.

In my wife's HAL job she and most of her peers worked remotely on ThinkHal laptops running Win 7 though her last ThinkHal laptop delivered with RedHat Linux. VPN a big part of workflow. Now that HAL and Apple are co-marketing, it's been reported HAL's much reduced staff increasingly uses Macs. Would think HAL I.T. would want that list of security updates installed ASAP.


2017-10-01 at 16:00 #26132   (57)
Guest
(2017-10-01 at 13:09)George wrote:  The problem with waiting until v.3 before installing "High Sierra" is the lengthy list of security updates at this time unique to 10.13.
We are not particularly worried about any security holes still existing in Sierra. There are plenty of attack vectors we need to be worried about on a daily basis. Many of these are very obscure or require direct access to the device. Would be easier to try and trick an employee into opening an email attachment or click a fake URL. We are anticipating, though it is only a guess, that additional security updates will be made available for Sierra with the release of High Sierra 10.13.1, much as they did when Sierra 10.12.1 was released.

About the security content of macOS Sierra 10.12.1, Security Update 2016-002 El Capitan, and Security Update 2016-006 Yosemite


2017-10-02 at 04:02 #26151   (58)
(2017-10-01 at 13:09)George wrote:  Betas? From what I've read, never having tested them, the "Golden Master" is likely to differ enough that testing would yield, at best, mixed results, thus supporting "perceived knowledge"
That's not an accurate perception. Occasionally, the final beta build is identical to the release version. Most of the time, the differences are so slight that they are barely perceptible to most users. There have been a couple of notable exceptions, but those have been rare.


2017-10-02 at 18:06 #26212   (59)
George
(2017-10-02 at 04:02)betatester wrote:  
(2017-10-01 at 13:09)George wrote:  Betas? From what I've read, never having tested them, the "Golden Master" is likely to differ enough that testing would yield, at best, mixed results, thus supporting "perceived knowledge"
That's not an accurate perception. Occasionally, the final beta build is identical to the release version. Most of the time, the differences are so slight that they are barely perceptible to most users. There have been a couple of notable exceptions, but those have been rare.
Perhaps "High Sierra" is an exception in large part because of AFPS, which seems (Oct. 2, 2017) to be a source of uncertainty in MacInTouch posts?


2017-10-02 at 20:19 #26224   (60)
(2017-10-02 at 18:06)George wrote:  Perhaps "High Sierra" is an exception in large part because of AFPS, which seems (Oct. 2, 2017) to be a source of uncertainty in MacInTouch posts?
I suspect you may be correct, but only time will tell. The problems with APFS that I'm reading about so far fall into two general groups.
  • Some developers who must deal with low-level aspects of the file system are still awaiting final documentation from Apple, so that they can adjust their software (mostly disk utilities) to this change. The only information seemingly available is what was originally published many months ago.

  • Some users who participated in Beta testing had converted HDD's and Fusion Drives to APFS, either by the beta release itself or manually in an attempt to try and perhaps benefit from the new format. Most of these users ended up reporting problems, and since Apple was unable to resolve all of them, the final release and perhaps the last beta was changed so that it would not install on APFS HDD's and Fusion Drives, and only SDD boot drives were automatically converted.

    These instructions were made available as soon as Apple realized they had to make these changes:
      Preparing your Fusion Drive Mac for the macOS High Sierra install.
    I haven't had time to verify this, but I don't think that the High Sierra Disk Utility allows conversion of HDD's and Fusion Drives to APFS. I don't recommend reformatting any external HDD's at this time, as I'm hearing of unexplained issues with them. Under no circumstances should a Time Machine volume be formatted APFS.


2017-10-05 at 13:33 #26411   (61)
(2017-09-27 at 19:09)ScottBever wrote:  It's surprising nobody has commented on Apple's error regarding the version number for Lion on their "About the security content of macOS High Sierra" webpage. They state repeatedly "OS X Lion 10.8". I've always known Lion to be version 10.7!
Alternatively, the number might not be the error, and what they meant was Mountain Lion.
I'm curious to see how long it will take Apple to correct this error.
It took until yesterday...

Apple wrote:About the security content of macOS High Sierra 10.13

... Available for: OS X Mountain Lion 10.8 and later...

Published Date: Oct 4, 2017


2017-10-05 at 23:33 #26432   (62)
(2017-09-08 at 16:49)ObjectiveSee wrote:  High Sierra's 'Secure Kernel Extension Loading' is Broken
The update is available from Mac App Store Updates or from macOS 10.13 Supplemental

Apple wrote:About the security content of macOS High Sierra 10.13 Supplemental Update
Available for: macOS High Sierra 10.13
Impact: A malicious application can extract keychain passwords
Description: A method existed for applications to bypass the keychain access prompt with a synthetic click. This was addressed by requiring the user password when prompting for keychain access.
CVE-2017-7150: Patrick Wardle of Synack


2017-10-05 at 23:58 #26434   (63)
Sophos wrote:Crazy but true – Apple’s “show hint” button reveals your actual password

It’s only eight days since Apple’s latest and greatest macOS 10.13 release, better known as High Sierra. But the first security update has already come out, and we suggest you apply it urgently.

The update is called High Sierra 10.13 Supplemental Update, detailed in the security advistory APPLE-SA-2017-10-05-1.

There are two bugs fixed; the facepalming one is described thus:

[BUG.] A local attacker may gain access to an encrypted APFS volume. If a [password] hint was set in Disk Utility when creating an APFS encrypted volume, the password was stored as the hint.


2017-10-06 at 00:16 #26436   (64)
Guest
(2017-10-05 at 23:58)Ric Ford wrote:  
Sophos wrote:Crazy but true – Apple’s “show hint” button reveals your actual password
Now, will someone out there please tell me how this one got through testing?


2017-10-06 at 00:47 #26437   (65)
(2017-10-06 at 00:16)Guest wrote:  Now, will someone out there please tell me how this one got through testing?
It's a rather convoluted process, requiring the user to create a new APFS encrypted container and subsequently using Disk Utility to access it, but forgetting the password and asking for the Hint. Either nobody went through that exact process or they didn't notice that the hint was actually the password.


2017-10-06 at 01:22 #26438   (66)
(2017-10-06 at 00:47)alvarnell wrote:  It's a rather convoluted process, requiring the user to create a new APFS encrypted container and subsequently using Disk Utility to access it...
It doesn't seem all that convoluted to me, actually, based on the Sophos article (haven't tested it myself).

1) Format a volume as APFS Encrypted with Disk Utility (i.e. the normal, natural way to format a volume).

2) Anyone connects that drive to a Mac running 10.13, gets a password prompt, asks for hint, and gets the password.

So very not cool...


2017-10-06 at 06:35 #26445   (67)
(2017-10-06 at 01:22)Ric Ford wrote:  It doesn't seem all that convoluted to me, actually, based on the Sophos article (haven't tested it myself)....
After trying it myself, I see you are correct. The report I read indicated you needed to access it with Disk Utility again to see the problem, but I see that simply re-mounting it reveals it in Finder.


2017-10-06 at 11:19 #26455   (68)
Business Insider wrote:Apple gave Uber's app 'unprecedented' access to a secret backdoor that can record iPhone screens
... Nearly every iPhone app uses what is called an "entitlement" — basically a way for software to enable features like the camera or Apple Pay on iPhones and iPads. Most of these can be easily found and officially turned on by outside app developers.
   But there are certain entitlements that are only used by Apple, giving the company's own software tight integration with the iPhone. These bits are marked with names that start with "com.apple.private," and they are are considered so sensitive that any third-party app found using them is rejected from the App Store.
   After digging around in the code for Uber's app, Strafach discovered that it uses an entitlement called "com.apple.private.allow-explicit-graphics-priority."
   "It is very odd to see Uber as the only app (I checked tens of thousands of other apps using my company’s internal dataset derived from the App Store) besides Apple’s own apps granted access to this sensitive entitlement," Strafach said in an email. Another person said that no other of the 200 top free apps use private Apple entitlements.


2017-10-06 at 13:43 #26468   (69)
Guest
(2017-10-06 at 01:22)Ric Ford wrote:  It doesn't seem all that convoluted to me, actually, based on the Sophos article (haven't tested it myself).
  1) Format a volume as APFS Encrypted with Disk Utility (i.e. the normal, natural way to format a volume).
  2) Anyone connects that drive to a Mac running 10.13, gets a password prompt, asks for hint, and gets the password.
So very not cool...
Actually, I could see this one taking some time to crop up with some frequency in the "naive user" community, if only because they're less likely to have SSDs other than their internal boot device than this readership would, and less likely to have their SSDs encrypted than, perhaps, the folks reading this site. Since the 10.13 install procedure automagically creates a APFS container and volumes (not encrypted because they probably didn't use encryption in their previous OS), the "average" user would have to back up their drives, change the container/volume type, and restore to have seen the issue.

A related note: installed 10.13 on a system at home this morning, and noted that the App Store blurb now says "updated October 5;" sure enough, checking for updates after the installation, the security update is not listed.


2017-10-06 at 14:39 #26477   (70)
(2017-10-06 at 00:16)Guest wrote:  
(2017-10-05 at 23:58)Ric Ford wrote:  
Now, will someone out there please tell me how this one got through testing?
I was running the High Sierra beta on a non-essential laptop, and reported this issue at Beta 2.

I, in fact,reported over a dozen bugs and only got a "fixed" response from Apple on one - problems with Apple Watch authentication.

So, good question.


2017-10-06 at 23:20 #26515   (71)
Here's a new vulnerability that's similar to BroadPwn but it's a separate, additional vulnerability (not the same one).

And it needs new patches... which are apparently in iOS 11 and tvOS 11 but not in iOS 10 or tvOS 10.... (Not sure about macOS.)

Sophos wrote:Chips in iPhone 7s, Androids, smart TVs vulnerable to rogue Wi-Fi
... The flaw affects a number of smartphones, including the iPhone 7 and some Android devices, as well as smart TVs running tvOS.
   This vulnerability (CVE-2017-11120) doesn’t need the victim to take any action aside from connecting to a rogue Wi-Fi network owned by the attacker—there’s no app that needs to be installed or phishy link that needs clicking. Once the victim connects their devices to the rogue network, the attacker can install a backdoor onto the victim’s device that gives them full read and write access to its firmware.
Mitre wrote:CVE-2017-11120
Security Focus Bugtraq wrote:Apple iOS and tvOS Wi-Fi Chip Multiple Arbitray Code Execution Vulnerabilities
  Apple iOS and tvOS are prone to multiple arbitrary code-execution vulnerabilities.
  An attacker can leverage these issues to execute arbitrary code within the context of the affected application. Failed exploit attempts will likely result in denial-of-service conditions.
  Versions prior to Apple tvOS 11 and iOS 11 are vulnerable.
Apple wrote:About the security content of iOS 11
Impact: An attacker within range may be able to execute arbitrary code on the Wi-Fi chip
Description: A memory corruption issue was addressed with improved memory handling.
CVE-2017-11120: Gal Beniamini of Google Project Zero
CVE-2017-11121: Gal Beniamini of Google Project Zero
Apple wrote:About the security content of tvOS 11
Impact: An attacker within range may be able to execute arbitrary code on the Wi-Fi chip
Description: A memory corruption issue was addressed with improved memory handling.
CVE-2017-11120: Gal Beniamini of Google Project Zero
CVE-2017-11121: Gal Beniamini of Google Project Zero


2017-10-07 at 01:03 #26519   (72)
(2017-10-06 at 23:20)Ric Ford wrote:  
Sophos wrote:Chips in iPhone 7s, Androids, smart TVs vulnerable to rogue Wi-Fi
This vulnerability (CVE-2017-11120) doesn’t need the victim to take any action aside from connecting to a rogue Wi-Fi network owned by the attacker—there’s no app that needs to be installed or phishy link that needs clicking. Once the victim connects their devices to the rogue network, the attacker can install a backdoor onto the victim’s device that gives them full read and write access to its firmware.
With security flaws like that running in the wild, the question isn't how could companies like Equifax and Yahoo be so lax with security that they experience data breaches, but rather how can any company not be vulnerable to catastrophic breaches? Individuals need to act accordingly to protect their own data.


2017-10-09 at 07:07 #26593   (73)
(2017-10-06 at 01:22)Ric Ford wrote:  
(2017-10-06 at 00:47)alvarnell wrote:  It's a rather convoluted process, requiring the user to create a new APFS encrypted container and subsequently using Disk Utility to access it...
It doesn't seem all that convoluted to me, actually, based on the Sophos article (haven't tested it myself)
After some additional testing by a couple of us, we cannot replicate the results described in the Sophos writeup. Formatting a fresh SSD as APFS(Encrypted) did not result in an exposed password, nor are all the dialogs the same as those shown. We can only see the issue when adding an encrypted volume to an existing APFS container. That's not something that most users will attempt and probably explains why it wasn't uncovered during testing.


2017-10-09 at 20:27 #26631   (74)
(2017-10-06 at 23:20)Ric Ford wrote:  Here's a new vulnerability that's similar to BroadPwn but it's a separate, additional vulnerability (not the same one).
   And it needs new patches... which are apparently in iOS 11 and tvOS 11 but not in iOS 10 or tvOS 10.... (Not sure about macOS.)
iOS 11 includes fixes for ten newly discovered Broadcom Wi-Fi firmware bugs:

CVE-2017-11120 and 11121 are documented. They were fixed in tvOS 11 but not watchOS 4.

CVE-2017-11122 is also documented. It was not fixed in tvOS 11 or watchOS 4.

CVE-2017-7103, 7105, 7108, 7110, 7112, 7115 and 7116 have not been documented yet. They were fixed in iOS 11, tvOS 11 and watchOS 4.

None of these fixes are included in macOS 10.13, or at least Apple hasn't documented that they are included. Apple has been releasing supplementary security notices for iOS 11 which revealed additional fixes that were already included, probably once more details were available from Broadcom.

The first three not being fixed in watchOS (and tvOS in one case) implies the Apple Watch/TV were not affected, because all these issues got fixed at the same time, and only devices with the feature that had the bug needed a fix.

Given that Apple didn't document any Wi-Fi fixes in High Sierra and the details of the issues have been published, I'm reasonably confident that the 11120, 11121 and 11122 issues do not apply to the Mac.

The undocumented 7103 to 7116 issues are less clear. The fact that these have not been documented for a week after 11120 to 11122 suggests that some platform affected by them does not yet have a fix available. This could be the Mac and/or some other platforms.

I have had a preliminary look at the downloaded Wi-Fi firmware in iOS 11 compared to iOS 10.3.3 to see which devices have changes. The picture is complicated: generally newer models (some A9 and all A10) have the greatest increase in image size, with a smaller increase for some A8/A9 models, a slight image size decrease for the remaining A8/A9 models and only a version number change with no image size change for the oldest supported A7 models.

I'm waiting to see technical details of all the issues before I do more detailed analysis or attempt to test for the existence of an issue.

Google Project Zero has a detailed blog post with two of three parts published:

  https://googleprojectzero.blogspot.co.nz...wi-fi.html
  https://googleprojectzero.blogspot.co.nz...wi-fi.html

I haven't had time to absorb them in full yet.


2017-10-10 at 11:19 #26668   (75)
MikeN
Since High Sierra got released, I receive constant reminders of a Security Update for Sierra. Unfortunately it is called Security Update Public Beta 2017-001 10.12.6. (The corresponding 'Final' was installed long ago).

Since I was dumb enough to have it install automatically, I was greeted after one such 'upgrade' with the Setup Assistant once more.
But this creeps up now on a daily basis.

Why? What is this? How to stop it? Where is the real security update we need?


2017-10-10 at 12:40 #26681   (76)
Apple updated its documentation on Safari 11 security patches:

  https://support.apple.com/en-us/HT208116


2017-10-10 at 13:44 #26690   (77)
Felix Krause wrote:iOS Privacy: steal.password - Easily get the user's Apple ID password, just by asking
   Do you want the user's Apple ID password, to get access to their Apple account, or to try the same email/password combination on different web services? Just ask your users politely, they'll probably just hand over their credentials, as they're trained to do so.
...
I've reported this as a radar, which you can dupe: rdar://34885659
   Apple ID password prompts can easily be replicated, phishing attacks easily possible
The real fix is for the system pop-ups to be visually distinguished in a way inaccessible to user code, like changing the title bar in a way app developers cannot do.


2017-10-10 at 13:48 #26691   (78)
Just discovered this via Twitter. I'm stuck in a loop of "oh god, no". This is a subtle, yet very serious, security problem.
Excerpt (bolding is mine):

Felix Krause wrote:iOS Privacy: steal.password - Easily get the user's Apple ID password, just by asking
  iOS asks the user for their iTunes password for many reasons, the most common ones are recently installed iOS operating system updates, or iOS apps that are stuck during installation.
   As a result, users are trained to just enter their Apple ID password whenever iOS prompts you to do so. However, those popups are not only shown on the lock screen, and the home screen, but also inside random apps, e.g. when they want to access iCloud, GameCenter or In-App-Purchases.
   This could easily be abused by any app, just by showing an UIAlertController, that looks exactly like the system dialog.
   Even users who know a lot about technology have a hard time detecting that those alerts are phishing attacks.


2017-10-10 at 17:23 #26715   (79)
(2017-10-10 at 11:19)MikeN wrote:  Where is the real security update we need?
Most likely it will be released at the same time as macOS 10.13.1 High Sierra. That's the normal sequence of events.


Tired of Lies and Spies Show this Post
2017-10-10 at 17:58 #26716   (80)
Tired of Lies and Spies
(2017-10-05 at 22:49)AlbertHall3 wrote:  
(2017-10-04 at 19:02)AlbertHall3 wrote:  I can't send messages any longer from my Mac. My account is listed as inactive. I'd like to know why I can't sign in with my Apple ID and password. I get the error message: "Could not sign in to iMessage. An error occurred during activation. Try again." Of course, this combination of ID and password works just fine for all other Apple things and on my iPhone. Messaging works fine on my iPhone. Very frustrating...
I just upgraded from Sierra to High Sierra - now iMessage allows sign in, and it is working. I did nothing else....
I'm glad things are working for you now.

It is my sincere hope Apple soon secures all their services, the current situation is very bad.

If you are like me, it’s because I've been using LittleSnitch to block port 80 for nearly everything having to do with Apple and iCloud, because of (what I consider to be) Apple’s lies that iCloud is secure, communicates over secure connections, and cares about my security.

  Unencrypted iCloud Photo Stream to Amazon AWS?
  iCloud Documents doesn't use secure (https) connection?
  Photos Agent Uploads Insecure Over http Versus https

Messages on my Mac has long been broken.

I did a clean install of 10.12 on my Mac while it was offline. Before I let it connect to the Internet, I installed LittleSnitch and configured it to block port 80 for Apple/iCloud services. Ever since then, numerous Apple services have failed, and some have continued to be broken (iCloud Drive, Messages, Photos in iCloud, etc…).

I reported these problems to Apple via their support page and also filed a bug report to ask them if this was a bug, or was I hacked, or what else? Via the Bug Reporter I was informed that port 80 uploading to iCloud severs (which includes AT&T, Verizon, Google, Amazon) was a bug; but when I learned that, I also saw the bug ID and it was half of the whole bug database ago! That was bug 14739346 and when I reported it, the bug IDs were almost at 30M. And it is still not fixed, so security is not important, or else they are just blithely unconcerned about opening me/us up to hackers and spies.

I have tried numerous times to get Messages to work on my Mac with Sierra. I’ll try again. Nope. But both “identityservicesd via IMRemoteURLConnectionAgent.xpc” and IMRemoteURLConnectionAgent.xpc tried to establish a connection to init-p01md.apple.com on TCP port 80 (http) and were thus blocked.

Something is very fishy when as soon as I click the "Sign In" button, verification happens through an app using insecure http, and if I block that insecure connection attempt, logging in becomes impossible.