All Posts by Date or last 15, 30, 90 or 180 days.
also by Lloyd: diglloyd.com photography and WindInMyFace.com

Thank you for buying via links and ads on this site,
which earn me advertising fees or commissions.
As an Amazon Associate I earn from qualifying purchases.

Other World Computing...
B&H Photo...
Amazon
As an Amazon Associate I earn from qualifying purchases.
Upgrade the memory of your 2018 Mac mini up to 64GB
877-865-7002
Today’s Deal Zone Items... Handpicked deals...
$900 $260
SAVE $640

$1798 $1298
SAVE $500

$148 $138
SAVE $10

$2998 $2898
SAVE $100

$1858 $1358
SAVE $500

$1858 $1358
SAVE $500

$3049 $2399
SAVE $650

$3664 $3154
SAVE $510

$998 $848
SAVE $150

$4087 $3088
SAVE $1000

$1597 $1297
SAVE $300

$80 $33
SAVE $46

$1898 $1498
SAVE $400

$600 $400
SAVE $200

$240 $175
SAVE $65

$699 $499
SAVE $200

$400 $180
SAVE $220

$1598 $1398
SAVE $200

$2027 $1397
SAVE $630

$1699 $999
SAVE $700

$180 $100
SAVE $80

$1199 $1099
SAVE $100

$1199 $1099
SAVE $100

$999 $949
SAVE $50

$400 $180
SAVE $220

$1699 $999
SAVE $700

macOS Big Sur 11.3: Upgrade ASAP for fix to 0-Day Gatekeeper Security Exploit (Apple CVE-2021-30657)

If you are running macOS Big Sur, update to 11.3 ASAP to get an urgent security fix.

In essence, you could do little more than double-click to open a document faking-it as an app, and compromise your entire machine.

Take-ways

It’s hard to operate in today’s internet environment without risk. But when Apple has bugs like this one, hardly anyone is safe, not even highly-knowledgeable people (including me). Break these rules at your own risk, since this latest Apple bug is an existence proof of that nothing is safe.

  • Unless you are CERTAIN that a file comes from a trusted party, do not download or open files received in email. Even then there is a risk since a friend or acquaintance could have been tricked, or infected.
  • Prefer plain-text emails.
  • Do not open attachments from unknown parties, particularly those forwarded by others.
  • Do not click on links in emails. Yeah it’s convenient—don’t.
  • Disable auto-loading of images in Apple Mail (Preferences => Viewing => Load Remote content in messages = unchecked/off).
  • Communicate by phone (voice) with persons sending you attachments/links to verify validity. And only those you already know.

Years of risk from sloppy practices at Apple?

Apple’s zealous security lockdowns have resulted in numerous impacts on those who use their computers for real work. Bars on the windows, rear doors locked, concrete bunker inside—but here we have the front door left wide open.

It took nearly TWO YEARS to find and fix this outrageous bug. Which is one more reason why waiting at least 6 months for a major macOS update is the smart move. But even that wouldn’t have worked in this case.

Ever wonder why Apple’s operating system releases require numerous updates in just 6 months? Check your premises on quality control—Apple ships by schedule, not by software quality.

About the bug

See also: Apple Security Bounty

 CVE-2021-30657 was discovered and reported to Apple by security engineer Cedric Owens on March 25, 2021.

An unsigned, unnotarized, script-based proof of concept application [...] could trivially and reliably sidestep all of macOS's relevant security mechanisms (File Quarantine, Gatekeeper, and Notarization Requirements), even on a fully patched M1 macOS system," security researcher Patrick Wardle explained in a write-up. "Armed with such a capability macOS malware authors could (and are) returning to their proven methods of targeting and infecting macOS users.

Ironic that macOS Catalina introduced the bug, what with all its extra security hassles. Of course, Catalina was a dismal failure in terms of so many other security bugs.

AnandTech: Actively exploited Mac 0-day neutered core OS security defenses

When Apple released the latest version, 11.3, for macOS on Monday, it didn't just introduce support for new features and optimizations. More importantly, the company fixed a zero-day vulnerability that hackers were actively exploiting to install malware without triggering core Mac security mechanisms, some that were in place for more than a decade.

..the flaw appears to have existed since the introduction of macOS 10.15 in June 2019, which is when notarization was introduced.

MPG: if the bug was being “actively exploited”, how can Apple be so out-of-the-loop to not know that after nearly two years? Why isn’t there a team at Apple that infiltrates the hacker community and/or actively buys exploits, so as to fix them?

Why doesn’t Apple owe compensation to the victims of this bug? A constant barrage of buggy macOS releases has a long track record of sloppy work—Apple should be liable given that track record.


Deals Updated Daily at B&H Photo
View all handpicked deals...

Sony Alpha a7R II Mirrorless Digital Camera (Body Only)
$1798 $1298
SAVE $500

diglloyd.com | Terms of Use | PRIVACY POLICY
Contact | About Lloyd Chambers | Consulting | Photo Tours
Mailing Lists | RSS Feeds | Twitter
Copyright © 2020 diglloyd Inc, all rights reserved.
Display info: __RETINA_INFO_STATUS__