Archive for September 8, 2023

Friday, September 8, 2023

Molly Holzschlag, RIP

Dylan Smith:

Molly Holzschlag, whose pioneering work in online design standards led to her being dubbed “the fairy godmother of the web,” has died at age 60.

[…]

She was a prolific author and regular speaker about the “open web,” advocating for accessible and inclusive online design standards. Also known as “mollydotcom” after her eponymous site that was one of the first blogs, she wrote or co-wrote more than 30 books, and before falling ill she was frequently appearing on Internet conference stages around the world.

[…]

Holzschlag, who reported on music for the Tucson Weekly in the 1990s, founded Open Web Camp, a Silicon Valley event that ran from 2009-2013, and was a leader of the Web Standards Project in the years before that. That group successfully pushed browser developers, including Microsoft, Opera and Netscape, to adopt web standards.

Eric Meyer (via Christina Warren):

She had a voice like a blues singer in a cabaret, brassy and smoky and full of hard-won joys, and she used it to great effect standing in front of Bill Gates to harangue him about Internet Explorer. She raised it to fight like hell for the Web and its users, for the foundational principles of universal access and accessible development.

[…]

There were so many things about what the Web became that she hated, that she’d spent so much time and energy fighting to avert, but she still loved it for what it could be and what it had been originally designed to be. She took more than one fledgling web designer under her wing, boosted their skills and careers, and beamed with pride at their accomplishments.

BLASTPASS

Juli Clover (Hacker News):

[A] maliciously crafted image could lead to arbitrary code execution, allowing a hacker to gain access to the operating system with a simple picture.

[…]

As reported by Citizen Lab, the vulnerabilities are part of a “BLASTPASS” exploit chain that was observed having been used in the wild to deliver NSO Group’s Pegasus spyware. Pegasus is of critical concern to government officials, journalists, activists, and others with potentially sensitive information on their devices.

The zero-click vulnerability allowed attackers to send a maliciously crafted PassKit (Wallet) image to a target via iMessage, infecting their device “without any interaction from the victim.”

Lockdown Mode blocks this particular attack. It’s not really clear to me why these images can’t be safely processed behind the Blast Door. Is it because they’re related to other cross-cutting iOS services such as PassKit? That is, if iMessage were just a messaging service, it would be easier to make it secure. If Messages were restricted to doing what third-party apps can do, maybe these sorts of vulnerabilities would be impossible. But it’s also become the transport for various other iOS features and Apple services, so it’s necessarily hooked deeper into the system. If I lived in Europe, maybe I could just disable iMessage and use WhatsApp, which is arguably more reliable and secure.

Previously:

macOS 13.5.2

Juli Clover (release notes, security, full installer, IPSW):

macOS Ventura 13.5.2 focuses on minor bug fixes and security improvements, and it does not include any notable new features.

See also: Mr. Macintosh and Howard Oakley.

Previously:

iOS 16.6.1 and iPadOS 16.6.1

Juli Clover (release notes, security):

The launch of iOS 16.6.1 comes over a month after the release of iOS 16.6, an update that brought bug fixes.

Previously: