Most iOS apps don’t mention security updates in their release notes. We look into this, and suggest that Apple may have some work to do. We also discuss a small macOS update, smart ring technology, and the Batterygate class action lawsuit payouts.
- Apple released yet another non-security patch: macOS Ventura 13.5.1
- No more macOS Big Sur updates
- 10-month zero-day vulnerability disclosed: macOS App Management vulnerability illustrated
- Apple’s defense against apps vandalizing other apps still broken, developer claims
- New Variant of XLoader macOS Malware Disguised as ‘OfficeNote’ Productivity App
- Apple to pay out $500M for iPhone battery issues
- iPhone 14, 14 Pro owners complain about battery capacity that’s already falling off
- This AI-generated crypto invoice scam almost got me, and I’m a security pro
- MSNBC’s Chris Hayes almost fell for an X (Twitter) phishing scam
- Apple researching a Smart Ring for notifications and controlling other devices
- At RSA Conference, Josh saw a wearable ring for biometric MFA
- Zoom issued a security update for its iOS app
- How to enable automatic updates on iOS
- Python script to download CVE info for iOS apps
- Scraped data of 2.6 million Duolingo users released on hacking forum
- High severity vuln in WinRAR could allow code to run when files are opened
If you like the Intego Mac Podcast podcast, be sure to rate and review it on Apple Podcasts.
Have a question? Ask us! Contact Intego via email if you have any questions you want to hear discussed on the podcast, or to provide feedback and ideas for upcoming podcast episodes.
Transcript of Intego Mac Podcast episode 306
Voice Over 0:00
This is the Intego Mac Podcast–the voice of Mac security–for Thursday, August 24 2023.
This week’s Intego Mac Podcast security headlines include: a macOS update was released that didn’t have security patches, but did fix an important user feature… it looks like a recent Mac operating system has reached the end of the line as far as receiving future security updates. We’ll tell you which one. Smart ring technology is improving, and is starting to look like it may have practical purposes soon. And many iOS apps don’t always mention security fixes in their release notes. And Apple doesn’t encourage developers to do so. We’d like to know why. Now, here are the hosts of the Intego Mac podcast. Veteran Mac journalist, Kirk McElhearn. And Intego’s. Chief Security Analyst, Josh Long.
Kirk McElhearn 0:58
Good morning, Josh, how are you today?
Josh Long 1:00
I’m doing well. How are you? Kirk?
Kirk McElhearn 1:02
I’m doing okay. You know, it’s that time of year it’s the end of August, summer is ending Labor Day is coming up. And we’re getting to the point where there’s no news because there’s going to be a lot of news in a month or two.
Josh Long 1:14
Well, yeah, we kind of thought there wasn’t going to be a lot of news this week. It turns out we actually have a lot of things to talk about. We’ve got vulnerabilities, we’ve got some malware, we’ve got really a pretty good show for you today.
Recent macOS update contains no security fixes
Kirk McElhearn 1:25
Okay, where do we start. Another Apple update? Did they once again, update all the operating systems with all the vulnerabilities fixed?
Josh Long 1:33
No. Remember last week, there was a watchOS bug fix release that didn’t patch any vulnerabilities apparently? Well, this past week, we got a macOS update that also didn’t patch any vulnerabilities. It just fixes an issue in system settings that prevents Location permissions from appearing. So that might not sound like a big deal. But some people who upgraded to MacOS Ventura 13.5 found this to be a pretty big issue. They were no longer able to modify which applications were allowed to request permission, they weren’t able to turn that on and off. So that was kind of a big issue for some people. So if you were holding off on installing MacOS Ventura 13.5 Because you heard about that bug somewhere, it’s okay to install macOS Ventura 13.5.1. It does fix that issue. No security issues patched apparently, according to Apple’s release notes.
Kirk McElhearn 2:33
It feels like the end of a cycle that instead of all the operating systems being updated, we’re getting these little tiny bug fixes. Because pushing out an update for an operating system is a big deal, whether it’s a bug fix, or something more important. I know that we’re going to see the next versions of everything soon. So Ventura 13.6, etc. And then of course, September, October, we’re going to see macOS Sonoma, iOS 17, and so on. So this is like they’re sweeping up the final things before they move on to the next operating systems.
Josh Long 3:06
That’s right. And in fact, on that point, it’s worth mentioning that macOS Big Sur apparently is not going to get any more security updates. Apple just released a bunch of release candidates for MacOS Monterrey and macOS Ventura, as well as some new beta versions of macOS Sonoma. But notably, Apple did not release any release candidates for macOS Big Sur, and that seems to indicate that Big Sur is dead and gone. No more security updates, very likely no more security updates from here on out for macOS Big Sur. I noticed that Apple did something very similar last year, they cut off macOS Catalina before macOS Ventura came out. So really the last operating system that…you could call it n minus two, so that is the current one that Apple has released and then minus one is last year’s release minus two is two years ago. But in that case, the n minus two operating system which was then Catalina only really got security updates for that 10 month-ish period following the release of macOS Ventura. So it’s the same thing again this year where we’re only getting updates through August, even though the next operating system macOS Sonoma is not coming out until probably October. But as we’ve mentioned before, you probably shouldn’t really be on macOS Big Sur anymore anyway, because Apple really only patches everything for the current OS, which right now is macOS Ventura.
Apple ignores developer’s vulnerability report, developer publishes the details
Kirk McElhearn 4:37
Speaking of vulnerabilities, developer Jeff Johnson has discovered a macOS app management vulnerability and apparently he alerted Apple about this 10 months ago. Apple didn’t do anything. So he’s gone public. We’re going to link in the show notes to a page on his website. It’s a little bit complicated. Can you simplify that for us, Josh?
Josh Long 4:54
Yeah, Jeff Johnson, great software developer., he came across this vulnerability he reported to Apple, just before macOS Ventura was released to the public, and Apple sat on it and sat on it and didn’t really do anything about this. One thing that’s kind of funny about this is in the security release notes from macOS Ventura 13.4. Apple credited Jeff Johnson, this developer for supposedly being one of the people who reported a vulnerability in Sandbox. So the impact was an app may be able to retain access to system configuration files, even after its permission is revoked. And Apple says they fixed it by addressing improved state management, whatever that means. But the specific issue that he reported had more to do with apps being able to, say, vandalize other apps, that issue is pretty significant, and it is still broken. So Jeff was upset that, you know, Apple has taken this all this time, they haven’t done anything about it. They credited him for a vulnerability that was only kind of peripherally related to the one that he actually reported to Apple, they never gave him a bug bounty. And here we are, like on the cusp of MacOS Sonoma coming out in a couple of months, and they still haven’t done anything. So he went ahead and released the details of this to hopefully force Apple to patch this in an upcoming version of macOS Ventura. So we’ll see whether Apple actually patches this. Hopefully, this is not like a, an insecurity by design thing, and they’ll be able to easily fix this. It’s just kind of puzzling that Apple sat on this for so long, when it seems like it’s kind of a significant issue.
A new XLoader variant makes an appearance
Kirk McElhearn 6:39
Have you ever heard of an app called Office Note?
Josh Long 6:42
Ah, I know what you’re talking about here. There was some malware that was calling itself Office Note, it kind of looks like Microsoft Word, maybe the icon of it. This was some malware that was masquerading…it was a Trojan horse masquerading as a Microsoft app. But in fact, it was malware. So this suppose that office, no productivity app, would install XLoader malware onto your Mac, if you happen to come across it and try to install it. (XLoader. That sounds familiar.) Yeah, XLoader has been around for a little while. This is a newer variant of it. By the way, although this has kind of hit the Mac press this week. We’ve been detecting this malware for quite some time. So there’s nothing new here in terms of if you’re running Intego virus barrier, you’re protected. And you have been for some time, so don’t worry too much about this. But we’ll link to an article on the show notes where you can learn more about this latest variant of XLoader malware.
Battery-Gate settlement and continuing iPhone battery issues
Kirk McElhearn 7:42
So you’ve had an iPhone for many years, do you know that you’ll be eligible to get $65 from Apple because of a battery gate class action suit settlement? What are you gonna do with your $65, Josh?
Josh Long 7:55
This is a story that has been in the headlines and we thought okay, well, we should probably mention this. The models that this applies to are the iPhone 6, 6S, 6S plus, the original SE, the iPhone 7 and 7 Plus. So we’re talking about some phones that are antiquated by today’s standards. None of these will actually run iOS 16 or 17. These are older phones. Apple, by the way has has other battery issues like people are complaining all over social media over the past week that you know, their iPhone 14 or 14 pro or 14 Pro Max are not staying at their maximum capacity of battery health. So if you go into your Settings app, and you tap on Battery, and then you tap on Battery Health and Charging, you’ll see a percentage there. In my case, my iPhone 14 Pro that I just got last year says it’s at a maximum capacity of 96% meaning that that’s the most that my phone can charge relative to when I first bought it.
Kirk McElhearn 9:05
Right the battery capacity is measured in milliamp hours. I don’t know what exactly it is it is but you can get 96% of that on a charge. Mine says a 100% maximum capacity and I’ve had it for as long as you have. Maybe you use yours more than mine. I don’t know. I remember a couple years ago the first iPhone SE after a little more than a year it was down below 80%. So Apple guarantees that the battery will still have an 80% capacity after two years and this was below that. So Apple replaced the phone. But battery depends on a lot of things. Before the show you were asking how I charge mine overnight. I have one of those Apple travel chargers on my bedside table. One side is to…has a MagSafe charger for my iPhone the other side for my Apple watch. Now Apple has an optimized battery setting so what it will do is it it learns from the time you start charging your phone and the time you pick it up in the morning, so it charges to 80%, then it waits then it finishes charging afterwards. Because for all sorts of devices with this sort of battery 80% is kind of the limit. They can do a fast charge up to 80%. And then it slows down. My car, it’s the same thing, the battery goes really fast to 80%, then it slows down a lot. So if you charge it correctly and safely, if you leave that new setting on, which has only been for a couple of years, in iOS, I think batteries are gonna last a lot longer.
Josh Long 10:28
Yeah, they should. And I think most people will probably–at least based on some straw polls that I saw on social media, it looks like probably most people are not really having a significant issue with their battery life on these newer phones. But do check it you know, if if you’d see that your maximum capacity is close to the 80% mark, it might be worth going and talking to somebody in an Apple Store.
ChatGPT continues to improve spammers’ phishing emails
Kirk McElhearn 10:50
And it might be worth not using TikTok so much. Because what wears down the battery the most is video and gaming. If you’re just using, you know, for browsing the web and for listening to music that doesn’t use a lot of power. But rendering videos that uses a lot of battery. (Well, that’s a good point.) In recent months, we’ve talked a lot about these new invoice scams, you get an invoice that claims to come from a company, it could be PayPal, it could be what was it Best Buy’s Geek Squad, and they say you’re being charged for this. And if you have any questions call this number. Well, there’s an article in ZDNet by Jason Pirlo, who’s a tech writer who has been around a lot and he says “This AI generated crypto invoice scam almost got me and I’m a security pro.” It was so well designed that he thought it was real. He called the number they asked him to give them the six digit code that he got to log into PayPal. And it was only after that he realized, oh my god, I made a mistake. And he quickly changed his passwords.
Josh Long 11:47
This is a good reminder that even if you feel like you know a lot about security, it’s still entirely possible to accidentally fall for one of these phishing scams. They’re getting more sophisticated. As we’ve mentioned before, people are able to use ChatGPT to generate very convincing very well worded things that look like they might actually come from a company. They don’t have typos anymore, because people are using again ChatGPT to generate that text. So its English is impeccable. Not so long ago, people would just kind of glance through one of these types of emails and go, Oh, no, there’s a weird spelling error or something over there. So that’s probably fake and then move on. But now these things are getting much more convincing. By the way something else a very similar email scam. I saw Chris Hayes who is an MSNBC reporter, he tweeted a screenshot of somebody had apparently been trying to phish his Twitter slash X login credentials. He got an email saying we noticed a log into your account at Chris L Hayes from a new device. And it showed the location was in Switzerland on a, on Chrome desktop on Windows it says so he said that he almost fell for the bait. The one thing that tipped him off was he looked a little more closely and saw that the “From:” said it was from X at security hyphen confirmations.com Which of course is not an official Twitter or X related domain. Now the From address can actually be spoofed depending on some different factors. It is possible in some cases for somebody to to hide the actual From address. So that is something to be aware of too, if they had managed to do that as well, then they might’ve very well tricked this MSNBC reporter into falling for the scam.
Kirk McElhearn 13:44
Okay, we’re going to take a break when we come back, we’re going to talk about smart rings and Zoom and Duolingo.
Voice Over 13:51
Protecting your online security and privacy has never been more important than it is today. Intego has been proudly protecting Mac users for over 25 years. And our latest Mac protection suite includes the tools you need to stay protected. Intego’s Mac Premium Bundle X 9 includes Virus Barrier, the world’s best Mac anti-malware protection, Net Barrier, powerful inbound and outbound firewall security, Personal Backup to keep your important files safe from ransomware. And much more to help protect, secure and organize your Mac. Best of all, it’s compatible with macOS Ventura, and the latest Apple silicon Macs. Download the free trial of Mac Premium Bundle X 9 from intego.com today. When you’re ready to buy, Intego Mac Podcast listeners can get a special discount by using the link in this episode’s show notes at podcast.intego.com. That’s podcast.intego.com and click on this episode to find the Special Discount Link exclusively for Intego Mac Podcast listeners. Intego. World class protection and utility software for Mac users made by the Mac security experts.
Apple trademarks some Smart Ring technology
Kirk McElhearn 15:07
Okay, we’ve got smartphones, we’ve got smartwatches. How about a smart ring? Apparently Apple has patented an idea for a smart ring. Now of course, we know that when Apple patents things, when a new company patents something, it doesn’t mean they’re going to make it, it means that they’ve come up with an idea that they can patent. And they can either make it prevent other companies from making it or license the patent to make money in the future. But the idea is interesting. Apparently, this could be used for notifications and for controlling other devices. Josh, you also saw something like this at the RSA Conference, didn’t you?
Josh Long 15:40
That’s right. Yeah. In my article about RSA Conference, I mostly talk about the presentations that I went to about some of the interesting things that they discussed in each of those presentations about Mac malware and supply chain attacks, and how all of this fits into the Apple ecosystem. But one other thing that I mentioned in that article is a particular product that stood out to me, of course, you see a lot of products, you know, walking around the show floor, looking at vendor booths, and everyone’s trying to sell you on something or other. But there was one particular innovation pavilion where they had a company who was presenting as a business solution. This is not available to consumers. The product is called Token Ring, which the name is kind of funny, because that was also the name of a networking technology back in the 1980s. But the Token Ring is a FIDO-compliant multi factor authentication token. And the way that it works is that as you’re putting this ring on your finger, it checks your fingerprint, verifies your identity, and then you slide the ring the rest of the way on your finger. Now you can use this just like you would a YubiKey, or one of these other kinds of security dongles that you carry with you to authenticate you. And so it’s it’s FIDO-compliant, it’s a pretty cool idea, very clever. And it’s also something that you can’t easily steal from somebody and still be authenticated as them. Like the whole idea of the fingerprint scanner is really clever. Imagine trying to steal that off of somebody else’s finger, you’d maybe have to like put your finger up against theirs and slide it, you know, quickly from one finger to another. I just don’t think that that would work very well. That seems very unlikely to be a successful attack.
Kirk McElhearn 17:30
Well, as our producer Doug pointed out during the break in the film, John Wick 3, John Wick had to give up his ring, so he cut his finger off. So (Sorry, spoiler.) if you see people with bolt cutters coming at you and you’ve got a ring on be a little bit careful. Worth pointing out that a fingerprint sensor on a ring is not very difficult anymore, because the power button on the iPad mini, which is a touch ID sensor is very narrow, narrower than most rings. So this is entirely doable. They could have a haptic system in it. So you could get a tap when something happens. as a notification. I’ve been watching these smart rings for a while there’s a number of them one’s called Oura, O-U-R-A. And it’s kind of a fitness tracker, a sleep tracker. And I think the idea is interesting, because a lot of people don’t want to wear a watch, regardless of whether it’s an Apple Watch, or a fancy watch. And a ring is a bit less obtrusive, however, mostly smart rings, you have to put them on your index finger, and they’re kind of thick, and they kind of look dumb, they look a little bit bulky. But obviously miniaturization ,these things get smaller and smaller and do more and more things. So maybe we’ll see something like that in the future. You know, when we were setting up the call today, over Zoom, you had to, you came into Zoom and I clicked the button to let you in. And then you disappeared. And you came in again, because the Zoom iOS app was updating. And that’s because Zoom issued a security update for its iOS app.
Apple does not require developers to mention security updates to their apps in release notes on the App Stores. Why not?
Josh Long 18:51
Right. In fact, all of the Zoom applications, Mac, iPhone, etc. They all have a security update. And this is a pretty common thing. Zoom fixes a lot of vulnerabilities. At the beginning of the pandemic, when Zoom really started to take off in popularity, they were not so great when it came to security. People were finding all sorts of vulnerabilities, ways to break into other people’s meetings and so forth. Zoom has spent a lot of time really bulking up their security. They hired a lot of experts. And now I would say that they’re probably one of the best companies out there in terms of really staying on top of security vulnerabilities in their products and getting them patched quickly and so forth. Certainly they’re releasing a lot of security updates a lot of the time.
Kirk McElhearn 19:35
That’s very different from when we had our weekly “Zoom Zingers” about all the problems with Zoom a couple of years ago. (That’s right.) They’ve definitely had to change because of the way that the enterprise market depends on Zoom. And they could not trust Zoom i f Zoom wasn’t proactive regarding security. I think you and I we both do the same thing on iOS. We don’t have automatic apps updates. We want to see what apps are there we look at the release notes not always But was there anything about the security update in the release notes?
Josh Long 20:03
In this case there was, which is actually really unusual. I always pay attention, I skim all the release notes for every app before I update it just to look for whether there’s any security vulnerabilities that are mentioned or patched in this update. And it’s extremely rare that anything like this is mentioned, the only two apps that I’ve seen in recent history that have mentioned that they fixed a security issue, were Zoom twice, about a month apart. They just released an update yesterday as we’re recording this, which was on Tuesday. And they released one about a month earlier as well, that mentioned that it fixed a security vulnerability. The only other app that I’ve seen in recent history was Wire, which is a secure text messaging app mentioned, again, very vaguely that there was some security issue that was fixed. I’ve been thinking about this a lot lately. This is something that we don’t really see very often. Why is it that iOS apps in particular, hardly ever mention security in the release notes. So we started looking into this more before we were recording the show today. What exactly is going on here? Like are there vulnerabilities in these other apps that we’re just not hearing about that are not being mentioned in the release notes? That seems kind of weird. It turns out that yes, there are vulnerabilities that are getting patched. We mentioned CVE’s in the past. CVE stands for Common Vulnerabilities and Exposures. And these are unique identifiers for each vulnerability as it might exist across multiple products, you it makes sense to have one number that you can look at and say, oh, okay, that vulnerability was patched in this product and also that product. There are many iOS apps that actually do have CVE’s, but I don’t really ever see them show up in these notes. And I wonder why that is. I don’t know if it’s just because no one else is doing it. And so they don’t really feel like the need to do that. But maybe this is something that Apple should be encouraging developers to do.
Kirk McElhearn 22:07
Imagine if you’re in a business and you’re managing 1000 iPhones. You really want to know if there’s a security update to push out that update to all of your users. I mean, you’re controlling which apps get updated for your users when you’re using MDM solutions. So you need to know if there’s an update. And you check that there was a Microsoft Edge update recently. And Microsoft has lots of Edge updates. But when you look to the notes for Microsoft Edge on the iOS App Store, “bug fixes”. All they say for every update is bug fixes, makes it sound banal makes it sound like someone found that there was an extra space after something or two things didn’t line up. Bug fixes.
Josh Long 22:43
Right. And this is why it was so fascinating to me, because I always check, you know, again, every app like I’m looking at browsers. And you know, granted, I know that browsers on iOS are using WebKit, because Apple forces them to because of being in the App Store. But I still kind of think there might be some other vulnerabilities in there. But why wouldn’t they be mentioning these things. So before the show, Kirk actually found this cool python script, something that you can run in the Terminal. And basically, it looks up at the CVE database. And it looks for all Android and iOS vulnerabilities and app vulnerabilities. So I modified the script to get rid of the Android part because I don’t care about Android. And it turns out that there’s a bunch of apps that have been updating on my phone that haven’t told me there’s a security issue. But in fact, that version did have a security issue patched. So pretty fascinating stuff. And this is something that I think that Apple should be doing. They should maybe you know, they don’t necessarily have to put an extra field in there. But when developers are putting in the release notes, Apple should be encouraging them to make sure to include any security details in those release notes. And that probably is something that Apple really should be including in the developer guidelines as well, to make sure this is something that developers start doing, because almost nobody is doing this right now.
Kirk McElhearn 24:13
So we both have our updates, probably for Mac as well as iOS to not update automatically. But I’m going to recommend to all listeners who don’t really pay attention to set this to update automatically. Because you may be not aware that you’re getting security updates. I mean, the number of times that I go to an iPad that I haven’t used in a few days, and I opened it up and there’s a “4” on the App Store a little 4 badge. And so I tap and hold a check for updates, and I pull down to refresh and it’s 37. It’s like I don’t know how they decide when they’re checking for things, but there are often a lot of updates. So suggestion is set for automatic updates. Now I think if you do this, it’s still not going to do it over cellular, so you don’t have to worry about your data plan. We have an article about everything you need to know about software updates, which I’m going to update in order to mention this as a good reason to automatically update your apps on iOS.
Josh Long 25:04
Another good point here is like Kirk was talking about, sometimes even if you have automatic updates enabled, sometimes they don’t actually install automatically, at least not very quickly. One thing that Apple does on purpose is they allowed developers to sort of have this grace period so that people who have automatic updates enabled won’t necessarily get those apps updated immediately, because sometimes there are some issues and they need to pull version of an app and go back to the previous version, as far as what’s available currently in the App Store. So for that reason, you’re not getting apps immediately after the developer releases them. If you really care about security updates, you can manually check as often as you want. You just have to go into the App Store app, you tap on your icon, your your avatar up in the top right corner, and then you swipe and pull pull down and it will refresh and show you all the available updates. I just did that it didn’t show that I had any. Now it shows that I’ve got four updates available.
Duolingo experiences a data breach
Kirk McElhearn 26:12
Or you tap and hold the App Store icon and you get a little menu, you tap updates. And you get to the same avatar page. And I’m just pulling and refreshing. And it says that I have nine available. And I just did updates before we recorded the show. Look at that ChatGPT, Google Chrome, Shazam, Zoom, there’s the Zoom update, Gmail, Microsoft Edge. Here’s what’s new in this release, general performance improvements and bug fixes. So we’re going to update all of these today. Okay, we have a couple of by the ways before we finish, a lot of people use Duolingo to learn foreign languages. And apparently data from 2.6 million Duolingo users was released on the hacking forum. If you are a Duolingo user, change your password. And I hope you’re not using that password on multiple sites. As we’ve said many times, because if someone has gotten all that data, they can try accessing your other accounts.
Josh Long 27:03
As a matter of fact, that’s probably why you showed up in this database of compromised accounts because you probably reused your password,
Kirk McElhearn 27:11
Okay, and there was a high severity vulnerability in WinRAR that could allow code to run when files are open. If you’ve been using computers for a while you know that WinRAR is an app that can compress an uncompressed file, it’s kind of like stuff it from back in the day. Now this affects the Mac version of WinRAR. Or if you’re using the command line version. So the three people out there who are using WinRAR, or command line on a Mac, be aware that there is a high severity vulnerability. Okay, that’s enough for this week. Until next week, Josh, stay secure.
Josh Long 27:42
All right, stay secure.
Voice Over 27:45
Thanks for listening to the Intego Mac podcast, the voice of Mac security, with your hosts Kirk McElhearn, and Josh Long. To get every weekly episode, be sure to follow us on Apple Podcasts, or subscribe in your favorite podcast app. And, if you can, leave a rating, a like, or a review. Links to topics and information mentioned in the podcast can be found in the show notes for the episode podcast.intego.com The Intego website is also where to find details on the full line of Intego security and utility software. intego.com.