All Posts by Date or last 15, 30, 90 or 180 days.
also by Lloyd: diglloyd.com photography and WindInMyFace.com

Thank you for buying via links and ads on this site,
which earn me advertising fees or commissions.
As an Amazon Associate I earn from qualifying purchases.

Other World Computing...
B&H Photo...
Amazon
As an Amazon Associate I earn from qualifying purchases.
Memory Upgrades for 2019 Mac Pro - Save Up to 65% vs Factory Costs
877-865-7002
Today’s Deal Zone Items... Handpicked deals...
$4499 $2999
SAVE $1500

$3498 $2998
SAVE $500

$2198 $1748
SAVE $450

$898 $698
SAVE $200

$2999 $1699
SAVE $1300

$799 $529
SAVE $270

$2397 $2197
SAVE $200

$130 $100
SAVE $30

$2397 $2197
SAVE $200

$1697 $1597
SAVE $100

$2998 $2798
SAVE $200

$2198 $1748
SAVE $450

$1799 $1599
SAVE $200

$2198 $1898
SAVE $300

macOS Big Sur 11.3: Upgrade ASAP for fix to 0-Day Gatekeeper Security Exploit (Apple CVE-2021-30657)

If you are running macOS Big Sur, update to 11.3 ASAP to get an urgent security fix.

In essence, you could do little more than double-click to open a document faking-it as an app, and compromise your entire machine.

Take-ways

It’s hard to operate in today’s internet environment without risk. But when Apple has bugs like this one, hardly anyone is safe, not even highly-knowledgeable people (including me). Break these rules at your own risk, since this latest Apple bug is an existence proof of that nothing is safe.

  • Unless you are CERTAIN that a file comes from a trusted party, do not download or open files received in email. Even then there is a risk since a friend or acquaintance could have been tricked, or infected.
  • Prefer plain-text emails.
  • Do not open attachments from unknown parties, particularly those forwarded by others.
  • Do not click on links in emails. Yeah it’s convenient—don’t.
  • Disable auto-loading of images in Apple Mail (Preferences => Viewing => Load Remote content in messages = unchecked/off).
  • Communicate by phone (voice) with persons sending you attachments/links to verify validity. And only those you already know.

Years of risk from sloppy practices at Apple?

Apple’s zealous security lockdowns have resulted in numerous impacts on those who use their computers for real work. Bars on the windows, rear doors locked, concrete bunker inside—but here we have the front door left wide open.

It took nearly TWO YEARS to find and fix this outrageous bug. Which is one more reason why waiting at least 6 months for a major macOS update is the smart move. But even that wouldn’t have worked in this case.

Ever wonder why Apple’s operating system releases require numerous updates in just 6 months? Check your premises on quality control—Apple ships by schedule, not by software quality.

About the bug

See also: Apple Security Bounty

 CVE-2021-30657 was discovered and reported to Apple by security engineer Cedric Owens on March 25, 2021.

An unsigned, unnotarized, script-based proof of concept application [...] could trivially and reliably sidestep all of macOS's relevant security mechanisms (File Quarantine, Gatekeeper, and Notarization Requirements), even on a fully patched M1 macOS system," security researcher Patrick Wardle explained in a write-up. "Armed with such a capability macOS malware authors could (and are) returning to their proven methods of targeting and infecting macOS users.

Ironic that macOS Catalina introduced the bug, what with all its extra security hassles. Of course, Catalina was a dismal failure in terms of so many other security bugs.

AnandTech: Actively exploited Mac 0-day neutered core OS security defenses

When Apple released the latest version, 11.3, for macOS on Monday, it didn't just introduce support for new features and optimizations. More importantly, the company fixed a zero-day vulnerability that hackers were actively exploiting to install malware without triggering core Mac security mechanisms, some that were in place for more than a decade.

..the flaw appears to have existed since the introduction of macOS 10.15 in June 2019, which is when notarization was introduced.

MPG: if the bug was being “actively exploited”, how can Apple be so out-of-the-loop to not know that after nearly two years? Why isn’t there a team at Apple that infiltrates the hacker community and/or actively buys exploits, so as to fix them?

Why doesn’t Apple owe compensation to the victims of this bug? A constant barrage of buggy macOS releases has a long track record of sloppy work—Apple should be liable given that track record.


Deals Updated Daily at B&H Photo
View all handpicked deals...

Sony a7R IVA Mirrorless Camera
$3498 $2998
SAVE $500

diglloyd.com | Terms of Use | PRIVACY POLICY
Contact | About Lloyd Chambers | Consulting | Photo Tours
Mailing Lists | RSS Feeds | Twitter
Copyright © 2020 diglloyd Inc, all rights reserved.
Display info: __RETINA_INFO_STATUS__