Archive for April 7, 2023

Friday, April 7, 2023

Mac Security Bugs Expose Location and Safari History

Guilherme Rambo:

However, when it comes to these local XPC services, the assumption that their scope is limited -- both in terms of functionality as well as which processes can even look them up to initiate a connection in the first place — means that not all local XPC services on macOS have strong authentication for clients.


Well, turns out you could just symlink another bundle’s Contents/XPCServices directory into your own app’s Contents/XPCServices, and launchd would happily follow that symlink and allow your app to lookup and connect to a local XPC service embedded in a completely unrelated bundle.


One of the things this service handles is the “Set timezone automatically using your current location” option. When enabled, the preference pane uses the bundled XPC service in order to obtain the current device location. Because the location request goes through TimeZoneService and it has the effective bundle entitlement, what the location icon in the Menu Bar shows is just “Setting Time Zone”.


Safari’s history agent was not validating client processes that connected to it, which meant that any process running on the system could access the user’s Safari browsing history.

He recommends the new setCodeSigningRequirement(_:) API.


Carrier-Forced Wi-Fi Offloading


Essentially, the latest iOS (16.4 at post time) allows your cellular carrier (via eSIM) to add “managed networks” to your device.

These networks cannot be removed, they cannot have “automatically join” disabled, and they have equal priority with your real, personal networks.

So guess what happens when your neighbors get a wifi/modem combo that blasts a free hotspot SSID? Not only does it pollute the already crowded 2.4ghz band, your iPhone will often prefer this connection over your real /local wifi (despite said wifi being at 1 bar).

As of post-time, there is no way to remove these networks short of completely disabling cell service/removing the eSIM and resetting all network settings.


Wifi offloading is not new. AT&T helped invent these standards back in ~2009 when their network was getting crushed by massive increases in traffic as iPhone usage took off.

WiFi offload networks are configured as “Managed Networks” which are lower priority than any user-selected networks. You can disable them by turning off “auto-join”. (Also these WiFi offload networks are secure; you can’t spoof them).

However it appears that the original poster’s carrier (presumably Xfinity Mobile or Spectrum Mobile) has done something new - they’ve disabled the user’s ability to turn off “auto-join” on iOS. Some overzealous team is trying to lower their cellular costs. That’s because both Comcast and Spectrum rent capacity on Verizon Wireless towers, but their MVNO cellular service is not profitable unless their customers are using the cable company’s own WiFi fairly often.


I noticed this a couple days back at Home Depot, of all places. Was looking up the locations of stuff I needed to pick up via their website while sitting out in the parking lot and my iPhone kept switching off 5g to hop on some single bar wifi that I couldn’t delete or deselect auto-join.

Eventually just turned off wifi and the problem was “solved” but man this is going to be annoying if it starts happening at the grocery store or something.


iOS 16.4.1 and iPadOS 16.4.1

Juli Clover (release notes, security):

According to Apple’s release notes, iOS 16.4.1 add a fix for an issue that could cause Siri not to respond in some cases, and it adds skin tones variations for the pushing hands emoji.

Juli Clover:

According to Apple's security support documents for iOS and macOS, the new software includes fixes for two separate vulnerabilities, both of which were known by Apple to have been actively exploited in the wild.

Hopefully this will also fix Universal Clipboard and the Weather app.


macOS 13.3.1

Juli Clover (release notes, security, full installer, IPSW):

According to Apple’s release notes for the update, it introduces a fix for a bug that could cause Auto Unlock with Apple Watch not to work, plus it includes a fix for an issue that caused the pushing hands emoji not to show skin tone variations.

See also: Howard Oakley, Mr. Macintosh.


Update (2023-04-22): Maynard Handley:

If anything 13.3.1 is more of a disaster than 13.3.

(a) Unmounting then remounting all external volumes every 5 minutes! WTF???

(b) PERMANENT decal of the volume control icon sitting in the middle of the screen!!!

Joe Rosensteel:

The latest point release of macOS (13.3.1) broke my screensaver. The screensaver works as expected on the MacBook when it’s not plugged into any external displays, and it works on one of the two monitors when it’s connected to two external displays, but the right monitor is always broken. I use “Classic” set to “Colors”. When the screensaver kicks on the right monitor just shows a black screen that says “No Photos”. How did it somehow manage to decouple the screensaver between displays?

Update (2023-04-24): Gabriel Zachmann:

With the latest upgrade to macOS 13.3, I have received a few reports from users that my screensaver (a real .saver) looks funny when the Mac has two monitors, the built-in one and an external one.


I read all the other comments concerning this fault after the update to Ventura 13.3, all happening with external monitors. So I don't feel alone. If I disconnect my 27 inch AOC external monitor, the problem goes away and the iMac shows my photos just fine.

Update (2023-04-25): Howard Oakley:

macOS Ventura 13.3.1 has a bug preventing the password for encrypted sparse bundles from being changed using hdiutil. As there’s no alternative method, this has a high impact on those using encrypted sparse bundles, for instance to store Time Machine backups on network shares.


Thanks to Paolo for confirming that this bug isn’t present in 13.2.1. This makes it most likely that it was introduced in 13.3, or possibly 13.3.1.

Jacob Ziv, RIP

Matthieu Bloch (Hacker News):

Jacob Ziv, known for his pioneering contributions to communication and information theory that inspired generations of researchers, passed away on March 25, 2023 at the age of 91. Perhaps his most celebrated achievement is the creation, together with Abraham Lempel, of efficient universal compression algorithms, known as LZ77 and LZ78. These algorithms have had a profound and far reaching impact in digital technologies including the widely used gzip package and the GIF image format.

Yuval Mann:

In 2004, the International Association of Electrical and Electronics Engineers (IEEE) declared that the Lempel-Ziv algorithm is a “milestone in the fields of electronics and computer engineering” and that it “made a significant contribution to the transformation of the internet into an effective means of global communication.”

In 2011, Prof. Ziv was awarded the 2021 IEEE Medal of Honor for his extensive work, his broad contribution to information theory and data compression, and his exceptional research pioneering.


Abraham Lempel, RIP

Ynet (via Hacker News):

The first major milestone of Lempel’s oeuvre came in 1977 when he and his colleague Prof. Jacob Ziv published LZ77, the first version of the Lempel-Ziv algorithm, which was followed up the very next year with LZ78.

The Limited Times (via Hacker News):

He taught electrical engineering and computer science at the Technion and in 1981-1984 served as the dean of the Taub Computer Science Faculty. In 1993 he was recruited to HP Laboratories and a year later he founded and managed HP Laboratories Israel.

See also: Wikipedia.