Archive for September 11, 2023

Monday, September 11, 2023

macOS 12.6.9 and macOS 11.7.10

Apple (full installer):

This document describes the security content of macOS Monterey 12.6.9.


Processing a maliciously crafted image may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited.

Apple (full installer):

This document describes the security content of macOS Big Sur 11.7.10.


A buffer overflow issue was addressed with improved memory handling.

See also: MacRumors and Howard Oakley.


Kagi Small Web

Kagi (Hacker News):

While there is no single definition, “small web” typically refers to the non-commercial part of the web, crafted by individuals to express themselves or share knowledge without seeking any financial gain. This concept often evokes nostalgia for the early, less commercialized days of the web, before the ad-supported business model took over the internet (and we started fighting back!)

For a deeper understanding, Ben Hoyt’s “The Small Web is Beautiful” serves as an excellent primer. Additionally, our GitHub repository links to several more articles on this topic.

Kagi Small Web offers a fresh approach by promoting recently published content from the “small web.” We gather new content, published within the last week, from a handpicked list of blogs and surface it in multiple ways:

I’ll be interested to see whether this improves the rankings when I search with Kagi. Even before this change, they were often quite different than with Google and Bing, with top results less likely to be spammy. I’m pleased that my blog is included, and Kagi Small Web does seem to be helping more people to find my posts.

Nick Heer:

Surely authority and relevance carry heavier weighting in ranking these search results, but the idea of bringing more independent voices with fresh links onto a search results page is intriguing. The fact that it is based on an allow-list means it is more limited, but also perhaps less prone to manipulation.

Peter Hosey:

Google used to have a feature called Blog Search that restricted the search results to those from blogs, and we really need that back.

(I suspect part of what killed it was the increasing difficulty of weeding out legions of hijacked or otherwise spam-infested WordPress and Blogger blogs; overcoming that would be a necessary component of any resurrection of Blog Search.)


Today in E-mail Hegemony

Jamie Zawinski (Mastodon):

People keep telling me how email is a great federation success story.


Here’s the current top ten from the last ~2 years since our post-lockdown re-opening[…]

Gmail and Yahoo are dominant, with still a large number of AOL users from his audience, which likely skews more technical.

Also, my spell checker thingy won’t let you hit “Purchase” with an invalid TLD, and yet, I have 56 orders from gmail.con. There is no .con TLD yet, I checked, though I would not have placed bets on that. So how did those get through? JavaScript turned off? Nope. Every one of them was via Apple Pay, which does not do the typo check as Apple tells us the email directly.

It looks like Apple Pay lets you enter an e-mail address that’s different from the one used by your Apple ID, and Apple doesn’t verify it.

Update (2023-10-10): I saw first-hand, as people upgraded to SpamSieve 3, that many people have entered e-mail addresses into Apple Pay that are defunct or were never valid in the first place.

Ventura File Encryption Problems

Howard Oakley:

Until Ventura 13.2.1, encrypted sparse bundles seem to have worked as advertised. Although Disk Utility has never offered an easy way to change their passwords, that could be accomplished interactively using hdiutil in Terminal.


When asked to compress an item in Apple Encrypted Archive format, the app prompts the user for what it claims is a password. Instead what it’s actually doing is informing the user of their randomly generated key required to decrypt that archive.


As of Ventura 13.5.2, and probably in the first release of Sonoma, two of those five robust options for encrypting files and folders aren’t sufficiently functional for normal use. The bug in changing passwords for sparse bundles needs to be fixed, and shortcomings in passwords for Apple Encrypted Archive need to be addressed in Archive Utility.

Disk image passwords can also be changed using DropDMG, and it can change them in bulk, but alas it is also affected by the hdiutil bug in recent versions of Ventura.

App Store Continues to Host Scammy Apps

Joshua Long:

A couple months ago, we covered several suspicious apps that were in Apple’s iOS App Store. One mimicked the new “Threads, an Instagram app,” and others were unethical loan apps. At the time we published the article, Apple had removed the apps following public backlash.

We wish we could tell you that the App Store was perfectly free of scammy apps, but unfortunately such is not the case.

Over the past week, several more sketchy apps have come to light. Again, some of them are illegitimate loan apps that often seem to particularly target iPhone users in India. The apps mimic the names of legitimate financial institutions, but are reported not actually connected in any way with those companies.


The @AppStore in India is dancing to the tune of fake loan apps

When you search for “instant loan”: The Ad & all 5 top results are of Fraud Loan Apps.

Apple did remove them after more than a week and many downloads, but new ones reached the top finance charts just days later.

Kevin Archer:

I wonder how many Apple guidelines points this app is infringing 🤷‍♂️. More than this, it was released on 20 Dec 2022 and still active.

It looks like a to-do app but really offers pirated movies.

Josh Long:

This Bitcoin wallet app is fake, according to the developer of the real Samourai app for Android. (The company doesn’t even make any iOS apps at all.)

It has been in the App Store since July 21, in spite of being reported multiple times.