In September, Microsoft said SwiftKey for iOS was being shut down and removed from the App Store for no clear reason. SwiftKey has been a popular alternative for iPhone users to Apple’s default iOS keyboard, leaving many disappointed by the decision. Now, a few weeks later, Microsoft says due to customer feedback, it is bringing the app back to the App Store.

Ventura’s Preview app lost the ability to render postscript or ps files. This breaks the previous, popular shell alias to open a man page in Preview.

[…]

Add this function to your shell configuration file: (bash, zsh)

preman() {
    mandoc -T pdf "$(/usr/bin/man -w $@)" | open -fa Preview
}

[…]

I prefer opening the ‘yellow’ man pages in Terminal app. You can do so by entering a command in the Help menu, or by using the x-man-page URL scheme. In these yellow terminal windows, you can scroll and search in the text with command-F. You can also do a secondary click (right/ctrl/two-finger click) on any word and it will offer to open that man page in the context menu.

My web browser extension StopTheMadness is updated today in the iOS App Store and Mac App Store. The biggest change is a new font substitution feature! Thanks to John Gruber of Daring Fireball for inspiring the feature and for linking to my blog post a few weeks ago. The blog post described how the custom style element feature of StopTheMadness can add @font-face rules to web pages in order to substitute one font for another. But that’s all very technical, requiring the user to write CSS. The “Fireballing” generated a lot of feedback requesting a simpler way to substitute fonts on the web, so I started work on that immediately, and now the feature is available! It works in all web browsers supported by StopTheMadness: Safari for iOS, Safari for Mac, Firefox for Mac, and Google Chrome for Mac (as well as all Chromium browsers).

It’s clearly a serialized NSKeyedArchiver. Definitely not what you’d expect to see in a JBIG2Bitmap object. Running strings we see plenty of interesting things[…]

[…]

NSPredicates using the FUNCTION keyword are effectively Objective-C scripts. With some tricks it’s possible to build nested function calls which can do almost anything you could do in procedural Objective-C. Figuring out some of those tricks was the key to the 2019 Real World CTFDezhouInstrumenz challenge, which would evaluate an attacker supplied NSExpression format string. The writeup by the challenge author is a great introduction to these ideas[…]

[…]

Prior to iOS 14.5 the isa field of an Objective-C object was not protected by Pointer Authentication Codes (PAC), so the JBIG2 machine builds a fake Objective-C object with a fake isa such that the invocation of the dealloc selector causes the deserialization and evaluation of the NSFunctionExpression. This is very similar to the technique used by Samuel in the 2020 SLOP post.

[…]

Perhaps the most striking takeaway is the depth of the attack surface reachable from what would hopefully be a fairly constrained sandbox.