Archive for June 4, 2021

Friday, June 4, 2021

Downgrading BridgeOS

Mr. Macintosh (tweet):

Let’s go over a quick example of why you might want to downgrade BridgeOS. You updated to macOS Big Sur 11.4 from 11.3. After the update, you’ve found that something is not working right. The T2 chip handles many things including, fan speed, battery, power, charging & sound (speakers & microphone). So in this example, maybe you are getting audio cracking noise (has happened in the past). Now you thinking that the new version of bridgeOS might be causing problems on your T2 Mac.

The 2nd example is macOS Update testing. If you are a system administrator in charge of updating a large fleet of Mac testing is very important. Part of that macOS Update process is updating BridgeOS. An example of this is if you upgrade a T2 Mac from 11.3 to 11.4. BridgeOS is updated in the process. Now that this T2 Mac is on the latest version of BridgeOS it normally can not be downgraded. Even if you boot back to recovery and install 11.3, BridgeOS will remain the same updated version. Set this Mac on the shelf because you will never be able to take it through a full update process again until 11.5.

[…]

You could always upgrade BridgeOS via automatic download with Apple Configurator 2.

[…]

We can now download full BridgeOS IPSW Files directly from Apple the same way we do now with Apple Silicon M1 Macs. We can then use the BridgeOS IPSW File to restore/revive BridgeOS to your T2 Mac. The difference here is that Apple WILL stop signing for previous versions of BridgeOS. The signing process follows iOS and is canceled usually about one week after the release of a new update. Apple leaves ONE previous version signed (for 7 days) so you can now downgrade to that version!

Previously:

Update (2021-06-13): Howard Oakley:

Let me ask you a simple question: supposing you installed the Monterey beta on an external disk, what would happen to that Mac’s firmware and its Recovery features? Given that Monterey is likely to bring firmware updates to most if not all Macs, how might that affect yours? That’s what I try to answer in this article – and it’s of great importance to all those who install beta-releases, as well as everyone considering upgrading in the autumn/fall.

The answer to these questions depends on which architecture your Mac has, and how it stores and maintains the different parts of what we loosely refer to as firmware.

M1racles: M1ssing Register Access Controls Leak EL0 State

Hector Martin (tweet, Hacker News, Bruce Schneier):

A flaw in the design of the Apple Silicon “M1” chip allows any two applications running under an OS to covertly exchange data between them, without using memory, sockets, files, or any other normal operating system features. This works between processes running as different users and under different privilege levels, creating a covert channel for surreptitious data exchange.

The vulnerability is baked into Apple Silicon chips, and cannot be fixed without a new silicon revision.

[…]

The ARM system register encoded as s3_5_c15_c10_1 is accessible from EL0, and contains two implemented bits that can be read or written (bits 0 and 1). This is a per-cluster register that can be simultaneously accessed by all cores in a cluster.

[…]

Really, nobody’s going to actually find a nefarious use for this flaw in practical circumstances. Besides, there are already a million side channels you can use for cooperative cross-process communication (e.g. cache stuff), on every system. Covert channels can’t leak data from uncooperative apps or systems.

Halide Mark II Launch Postmortem

Ben Sandofsky (tweet):

There’s powerful App Store features only supported though subscriptions: a paid app has one price, that is more or less the same around the world. With subscriptions, you can set per-country pricing.

[…]

Half the challenge of a big upgrade is supporting the old version of your app. In small updates, you would build your new features into the old app hidden behind flags, and un-hide them when they’re ready to release. We couldn’t do that in our case, because too much of Mark II would change. When we say it was like a whole new app, we really mean it.

[…]

There was one post-launch surprise that was out of our control: the only way for us to offer the choice between Pay-Once and subscriptions is to make the app free to download, and throwing up a “paywall” at launch. The App Store doesn’t surface this clearly: it just lists it on the “Free” charts. Many folks downloaded Halide expecting it to be free, and get upset that we ask for payment.

[…]

We dug deeper and found it to be a bug when iOS needs to free up memory. Sometimes iOS terminates the program that manages your photo library assetsd. There’s nothing we can do short of telling users to restart their phone.

[…]

While subscribers outnumber Pay-Once buyers by almost five to one, Pay-Once revenue makes up 39% of total revenue. We really think that it’s important to cater to a segment of your users that would not even consider a subscription at any cost out of principle.

Previously:

TCC Bypass in XCSSET Malware

Stuart Ashenbrenner, Jaron Bradley, and Ferdous Saljooki (via Juli Clover, Dan Goodin):

In the latest macOS release (11.4), Apple patched a zero-day exploit (CVE-2021-30713) which bypassed the Transparency Consent and Control (TCC) framework. This is the system that controls what resources applications have access to, such as granting video collaboration software access to the webcam and microphone, in order to participate in virtual meetings. The exploit in question could allow an attacker to gain Full Disk Access, Screen Recording, or other permissions without requiring the user’s explicit consent — which is the default behavior. We, the members of the Jamf Protect detection team, discovered this bypass being actively exploited during additional analysis of the XCSSET malware, after noting a significant uptick of detected variants observed in the wild. The detection team noted that once installed on the victim’s system, XCSSET was using this bypass specifically for the purpose of taking screenshots of the user’s desktop without requiring additional permissions.

[…]

If any of the appID’s are found on the system, the command returns the path to the installed application. With this information, the malware crafts a custom AppleScript application and injects it into the installed, donor application.

[…]

Once all files are in place, the custom application will piggyback off of the parent application, which in the example above is Zoom. This means that the malicious application can take screenshots or record the screen without needing explicit consent from the user. It inherits those TCC permissions outright from the Zoom parent app.

Unfortunately, Apple’s fix does not seem to precisely target the actual vulnerability and introduced more problems.

Previously: