One challenge that can crop up for Mac admins is the problem of running a script or other tool with root privileges and using it to launch and run another tool, script or application as if the logged-in user had launched it. An example of this would be installing Dropbox using an installer package, then launching the Dropbox application as the logged-in user as a post-installation task. One reason to do so would be to give the user the opportunity to sign into their Dropbox account.

To accomplish this task, Apple has provided functionality in the launchctl tool.

[…]

Starting in OS X Yosemite, Apple made a number of changes to the launchctl tool and added a new asuser function. The asuser function is designed to take the place of the bsexec function, in the context of starting processes in the context of a specific user account. This makes it easier, as you now just need to figure out the username and do not have to figure out the PID of the user’s loginwindow process.

Apple has worked very hard to reduce the iPhone’s attack surface, but they haven’t yet fully addressed the underlying motivations of an attacker (specifically, the device’s forensic value), and that’s left the iPhone a very high value target. This is the oldest, and hardest challenge in the book: making sure that deleted data actually gets deleted. Conversations are ephemeral, but the traces of these conversations are not; this directly impacts how and why search warrants are executed and why mobile devices are targeted by attackers. If the user of the device believes their conversation to be deleted, it’s breaking their trust by keeping forensic traces of those conversations, and ultimately the device’s design can lead to a betrayal of the user’s privacy if data is stolen or a forensic image is made. Ephemeral conversations (or other exchanges) should also mean ephemeral data.

The whole experience is described in loving detail in the article: How Uber Engineering Evaluated JSON Encoding and Compression Algorithms to Put the Squeeze on Trip Data. They came up with a matrix of 10 encoding protocols (Thrift, Protocol Buffers, Avro, MessagePack, etc) and 3 compression libaries (Snappy, zlib, Bzip2). The target environment was Python. Uber went to an IDL approach to define and verify their JSON protocol, so they ended up only considering IDL solutions.

[…]

The conclusion: MessagePack with zlib. Encoding time: 4231 ms. Decoding: 715 ms. There was a 78% reduction in size relative to the JSON zlib combination.

[…]

Something to consider: don’t use JSON for messaging. The compression/decompression times are still dog slow. If you are going to use an IDL, which every grown up project eventually moves to for reliability and security reasons, consider not using JSON for messaging. Go for a binary protocol from the start.

While Apple makes available the source code for many components used in OS X, most of the time there is a significant delay so we need to use binary diffing to find out the differences between the vulnerable and updated binary. The usual tool for this purpose is BinDiff but there is also a free alternative called Diaphora made by Joxean Koret. Both tools require IDA and on this post we are going to use Diaphora.

[…]

The developer of this particular piece of code made a mistake, and the fix can be as simple as adding a set of parenthesis[…]

With this release we’re changing the way Reveal is versioned and licensed. We’re switching to a model where we release features as they are ready rather than holding them back for major paid upgrades. We’re also moving to a simpler version strategy. This release is version 2, the next will be version 3, and so on.

Licenses now include a year of updates, after which you can continue to use the last version of Reveal released within those 12 months. To continue to receive updates after the included 12 months, you will need to renew your license.

[…]

Instead of offering upgrade pricing for Reveal 2 we have lowered the price for all new and existing users.