OS X

Critical Remote Code Execution Flaw Fixed In Popular Terminal App For MacOS (csoonline.com) 15

itwbennett shares a report from CSO: iTerm2 users: It's time to upgrade. A security audit sponsored by the Mozilla Open Source Support Program uncovered a critical remote code execution (RCE) vulnerability in the popular open-source terminal app for macOS. ITerm2 is an open-source alternative to the built-in macOS Terminal app, which allows users to interact with the command-line shell. Terminal apps are commonly used by system administrators, developers and IT staff in general, including security teams, for a variety of tasks and day-to-day operations.

The iTerm2 app is a popular choice on macOS because it has features and allows customizations that the built-in Terminal doesn't, which is why the Mozilla Open Source Support Program (MOSS) decided to sponsor a code audit for it. The MOSS was created in the wake of the critical and wide-impact Heartbleed vulnerability in OpenSSL with the goal of sponsoring security audits for widely used open-source technologies. The flaw, which is now tracked as CVE-2019-9535, has existed in iTerm2 for the past seven years and is located in the tmux integration. Tmux is a terminal multiplexer that allows running multiple sessions in the same terminal window by splitting the terminal screen. The flaw was fixed in iTerm2 version 3.3.6, which was released today.

China

China Attacks Apple For Allowing Hong Kong Crowdsourced Police Activity App (techcrunch.com) 69

An anonymous reader quotes a report from TechCrunch: Apple's decision to greenlight an app called HKmaps, which is being used by pro-democracy protestors in Hong Kong to crowdsource information about street closures and police presence, is attracting the ire of the Chinese government. An article in Chinese state mouthpiece, China Daily, attacks the iPhone maker for reversing an earlier decision not to allow the app to be listed on the iOS App Store -- claiming the app is "allowing the rioters in Hong Kong to go on violent acts." HKmaps uses emoji to denote live police and protest activity around Hong Kong, as reported by users.

The app's developer denies the map enables illegal activity, saying its function is "for info" purposes only -- to allow residents to move freely around the city by being able to avoid protest flash-points. But the Chinese government is branding it "toxic." "Business is business, and politics is politics. Nobody wants to drag Apple into the lingering unrest in Hong Kong. But people have reason to assume that Apple is mixing business with politics, and even illegal acts. Apple has to think about the consequences of its unwise and reckless decision," the China Daily writer warns in a not-so-veiled threat about continued access to the Chinese market.
"Providing a gateway for 'toxic apps' is hurting the feelings of the Chinese people, twisting the facts of Hong Kong affairs, and against the views and principles of the Chinese people," it goes on. "Apple and other corporations should be able to discern right from wrong. They also need to know that only the prosperity of China and China's Hong Kong will bring them a broader and more sustainable market."

The article also claims Apple reinstated a song which advocates for independence for Hong Kong and had previously been removed from its music store.
Media

Slashdot Asks: What Did You Like/Dislike About iTunes? 131

iTunes is officially dead with the release of macOS Catalina today. Apple decided to break apart the app into separate Apple Music, Podcasts and TV apps. "Each is better at its individuals task than it was as a section within iTunes, which was teetering on collapse like the Jenga tower of various functions it supports," writes Dieter Bohn via The Verge.

"In the early days, iTunes was simply a way to get music onto Apple's marquee product, the iPod music player," reports Snopes. "Users connected the iPod to a computer, and songs automatically synced -- simplicity unheard of at the time." It was the first service to make songs available for 99 cents apiece, and $9.99 for most albums -- convincing many people to buy music legally than seek out sketchy sites for pirated downloads. "But over time, iTunes software expanded to include podcasts, e-books, audiobooks, movies and TV shows," recalls Snopes. "In the iPhone era, iTunes also made backups and synced voice memos. As the software got bloated to support additional functions, iTunes lost the ease and simplicity that gave it its charm. And with online cloud storage and wireless syncing, it no longer became necessary to connect iPhones to a computer -- and iTunes -- with a cable."

What did you like or dislike about iTunes? When you look back at the media player, what are you reminded of?
China

Apple Hides Taiwan Flag in Hong Kong (emojipedia.org) 74

iPhone users in Hong Kong have noticed a change in the latest version of iOS: the Flag for Taiwan emoji is missing. From a report: Previously restricted on Chinese iOS devices, all other regions of the world have continued to enjoy access to all flags in the iOS emoji font, until now. The change, first discovered by iOS Developer Hiraku Wang, means that users with an iOS device region set to Hong Kong will see one less flag on the emoji keyboard than if the region is set to anywhere else in the world (other than China mainland, which also hides this flag). Notably, the emoji Flag: Taiwan is still supported by iOS in Hong Kong. As of iOS 13.1.2, released last week, this is now hidden from the emoji keyboard but remains available by other means. Apple's Hong Kong approach differs from the complete ban on the emoji in China. Any iPhone purchased in China, or purchased elsewhere with the region set to China mainland, replaces the flag of Taiwan with a missing character tofu so it cannot be used or displayed in any app, even via copy and paste.
Desktops (Apple)

macOS Catalina is Available To Download Today (engadget.com) 57

It's happening a little later in the season than usual, but Apple's latest version of macOS is available to download today. From a report: Catalina arrives on the heels of iOS 13, which saw several back-to-back updates after an initially rough launch. For what it's worth, I've been using successive versions of the Catalina beta as my daily driver for months now and can assure you that the latest build is stable enough to safely install. [...] Speaking of games, today also marks the first time that Catalina beta users will have been able to play Apple Arcade games. If you're wondering how the heck you'll play those titles from your Mac, it's worth a reminder that many Arcade games support Xbox and PlayStation controllers.

Also new in this release: As you browse episodes in the podcast app, you'll see avatars for guests and hosts. Apple also says it's made some small usability tweaks to Sidecar, the feature that allows you to use an iPad as a secondary Mac display. You'll also notice more promotional Apple TV+ material in the new TV app, which makes sense -- the streaming service launches November 1st. It'll cost $4.99 a month, but Apple is offering a free year with the purchase of a new Mac, iPhone, iPad or Apple TV.
Further reading: Apple's MacOS Catalina Opens Up To iPad Apps; Apple Will Permanently Remove Dashboard In macOS Catalina; Apple Replaces Bash With Zsh as the Default Shell in macOS Catalina; and Apple Finally Kills iTunes.
Patents

US Supreme Court Snubs University of Wisconsin Appeal in Patent Fight With Apple (reuters.com) 15

The U.S. Supreme Court on Monday refused to hear a bid by the University of Wisconsin's patent licensing arm to reinstate its legal victory against Apple in a fight over computer processor technology that the school claimed the company used without permission in certain iPhones and iPads. From a report: The justices, on the first day of their new term, declined to review a lower court's 2018 decision to throw out the $506 million in damages that Apple was ordered to pay after a jury in 2015 decided the company infringed the university's patent. The licensing body, the Wisconsin Alumni Research Foundation (WARF), filed suit in 2014, alleging infringement of a 1998 patent on a "predictor circuit" to help speed the way processors carry out computer program instructions. The patent was developed by computer science professor Gurindar Sohi and three of his students at the university, located in Madison, Wisconsin. WARF, which helps patent and commercialize the university's inventions, claimed that Apple incorporated the technology in its A7, A8 and A8X processors, found in the iPhone 5s, 6 and 6 Plus, as well as several versions of the iPad tablet. Apple disputed the claims, saying its processor worked differently based on the specific language spelled out in WARF's patent.
Wireless Networking

Did MacOS Stop Allowing Changes to Wifi MAC Addresses? 118

ugen (Slashdot reader #93,902) writes: Something I discovered today, while trying to change a MAC address on a new MacBook Air (as I did for years on other MacBooks): ifconfig en0 ether "new mac" no longer works. It appears that this is a change made sometime last year, applicable to all Apple newer MacBooks.

Implications of permanently fixed MAC addresses on privacy and security are hard to underestimate. Given that Windows now supports complete Wifi MAC address randomization — I am sad to admit that Microsoft looks like a champion of privacy here. What are your thoughts? Solutions anyone knows of (I'll take a reasonable technical hack).

Here are a few mentions of this elsewhere:
Mac Rumors forums
The GitHub repo for SpoofMAC
A discussion on Stack Overflow

I've seen other theories about what's going on, though the bigger question is still what's the solution? Leave your own thoughts and suggestions in the comments.

And did MacOS stop allowing changes to wifi MAC addresses?
China

Apple Reverses Ban On App That Allowed Hong Kong Protestors to Track Police Movements (boingboing.net) 295

UPDATE (10/4/2019): "Apple has reportedly reversed its decision to ban the app HKmap.live," reports BoingBoing.

Apple had banned the app, which allows Hong Kong protesters to track protests and police movements in the city state, despite increasing international condemnation against the violence used by the authorities, MacRumors had reported: According to The Register, Apple has told the makers of the HKmap Live app that it can't be allowed in the App Store because it helps protestors to evade the police. "Your app contains content - or facilitates, enables, and encourages an activity - that is not legal ... specifically, the app allowed users to evade law enforcement," the American tech giant told makers of the HKmap Live on Tuesday before pulling it. Opposition to the Chinese state and the Hong Kong authorities has grown louder, driven by an escalation in violence against protesters over the past week. On Wednesday, thousands of people took to the streets of Hong Kong to denounce the shooting of an unarmed teenage student by police. Tsang Chi-kin was shot in the chest at point-blank range on Tuesday. He remains in hospital in stable but critical condition after surgery to remove the bullet, which narrowly missed his heart.
OS X

macOS Systems Can Be Abused In DDoS Attacks (zdnet.com) 18

An anonymous reader writes: "DDoS-for-hire services, also known as DDoS booters, or DDoS stressors, are abusing macOS systems to launch DDoS attacks," reports ZDNet. "These attacks are leveraging macOS systems where the Apple Remote Desktop feature has been enabled, and the computer is accessible from the internet, without being located inside a local network, or protected by a firewall. More specifically, the attackers are leveraging the Apple Remote Management Service (ARMS) that is a part of the Apple Remote Desktop (ARD) feature. When users enable the Remote Desktop capability on their macOS systems, the ARMS service starts on port 3283 and listens for incoming commands meant for the remote Mac." Hackers have figured out a way to bounce traffic off these ports and carry out DDoS attacks with the help of internet connected Macs. Nearly 40,000 macOS systems are currently connected online and can be used to send out DDoS attacks.
Iphone

Apple To Release 'iPhone SE 2' In Q1 2020 With iPhone 8 Design, A13 Processor (9to5mac.com) 33

According to Apple analyst Ming-Chi Kuo, Apple is expected to launch the next version of the iPhone SE 2 in the first quarter of 2020. "The new phone will be more affordable than the rest of the Apple iPhone lineup and feature newer internals, like an A13 processor with 3GB RAM, in a familiar iPhone 8 chassis," reports 9to5Mac. From the report: Kuo says that most of the new iPhone SE's hardware specification will mirror the iPhone 8. The analyst predicts Apple will sell 30-40 million units across 2020. The Q1 timeframe lines up with a previous report from Nikkei, which said to expect a cheaper iPhone with iPhone 8-esque design in the spring. This would mean it would feature a 4.7-inch LCD display and Touch ID home button. Kuo does not predict an exact price for the new phone. Before the 4-inch iPhone SE was discontinued, Apple sold it for $349 in a 32 GB storage configuration.

The current iPhone product range at Apple stores spans the iPhone 11 series, iPhone XR and the iPhone 8 and iPhone 8 Plus. The 4.7-inch iPhone 8 is currently on sale for $449 for 64 GB. Presumably, when the new SE launches, Apple will stop selling the iPhone 8 altogether. Given the current pricing of the 8, you could easily see how Apple could sell an iPhone SE 2 32 GB for around the same price as the old SE, in the $349-$399 range.

AI

Apple To Loosen Reins on Outside Messaging, Phone Apps Via Siri (bloomberg.com) 29

Apple said it will ease some restrictions on developers of third-party apps, responding to news reports about the rise of in-house software that gets prized default status on iPhones and iPads. From a report: The Cupertino, California-based company plans to release a software update later this year that will help outside messaging applications work better with the Siri digital assistant. Right now, when iPhone users ask Siri to call or message a friend, the system defaults to Apple's Phone or iMessage apps. If you want to use WhatsApp or Skype, you have to specifically say that.

When the software refresh kicks in, Siri will default to the apps that people use frequently to communicate with their contacts. For example, if an iPhone user always messages another person via WhatsApp, Siri will automatically launch WhatsApp, rather than iMessage. It will decide which service to use based on interactions with specific contacts. Developers will need to enable the new Siri functionality in their apps. This will be expanded later to phone apps for calls as well.

IOS

The iPhone 11's Deep Fusion Camera is Now in the iOS 13 Developer Beta (theverge.com) 10

Apple's Deep Fusion photography system has arrived in the latest developer betas of iOS 13, hopefully hinting that it will ship for the iPhone 11 and 11 Pro soon. From a report: To refresh your memory, Deep Fusion is a new image processing pipeline for medium-light images, which Apple senior VP Phil Schiller called "computational photography mad science" when he introduced it onstage. But like much of iOS 13, Deep Fusion wasn't ready when the phones arrived two weeks ago. And although the iPhone 11 and 11 Pro have extremely impressive cameras, Deep Fusion's is meant to offer a massive step forward in indoor and medium-lighting situations. And since so many photos are taken indoors and in medium light, we're looking forward to testing it.

[...] With Deep Fusion, the iPhone 11 and 11 Pro cameras will have three modes of operation that automatically kick in based on light levels and the lens you're using: The standard wide angle lens will use Apple's enhanced Smart HDR for bright to medium-light scenes, with Deep Fusion kicking in for medium to low light, and Night mode coming on for dark scenes. The tele lens will mostly use Deep Fusion, with Smart HDR only taking over for very bright scenes, and Night mode for very dark scenes. The ultrawide will always use Smart HDR, as it does not support either Deep Fusion or Night mode.

Security

Legit-Looking iPhone Lightning Cables That Hack You Will Be Mass Produced and Sold (vice.com) 57

An anonymous reader quotes a report from Motherboard: Soon it may be easier to get your hands on a cable that looks just like a legitimate Apple lightning cable, but which actually lets you remotely take over a computer. The security researcher behind the recently developed tool announced over the weekend that the cable has been successfully made in a factory. MG is the creator of the O.MG Cable. It charges phones and transfers data in the same way an Apple cable does, but it also contains a wireless hotspot that a hacker can connect to. Once they've done that, a hacker can run commands on the computer, potentially rummaging through a victim's files, for instance.

After demoing the cable for Motherboard at the Def Con hacking conference this summer, MG said "It's like being able to sit at the keyboard and mouse of the victim but without actually being there." At the time, MG was selling the handmade cables at the conference for $200 each. Now that production process has been streamlined. This doesn't necessarily mean that factories are churning out O.MG Cables right now, but it shows that their manufacture can be fully outsourced, and MG doesn't have to make the cables by hand.

Iphone

Apple's New iPhones Will Warn You If They Can't Verify a Replaced Screen (theverge.com) 36

According to a newly published support document, Apple says the new iPhone 11, 11 Pro, and 11 Pro Max will present customers with a warning if the devices are unable to verify a genuine display after a screen repair job. "If you need to replace your iPhone display, it's important for certified technicians who use genuine Apple display parts to repair it," the page reads. "Replacements not performed by Apple, authorized service providers, or certified technicians might not follow proper safety and repair procedures and could result in improper function or issues with display quality or safety." The Verge reports: Apple goes over a laundry list of problems that could arise if your display is swapped the wrong way or with a non-genuine part, such as multi-touch problems, issues with screen color accuracy and brightness, or True Tone failing to work properly. "Additionally, repairs that don't properly replace screws or cowlings might leave behind loose parts that could damage the battery, cause overheating, or result in injury." The company isn't afraid of nagging customers about this, either. Apple says that a notification will appear on the affected iPhone's lock screen for 4 days after a problem is first detected, then it'll move to the main settings menu for 15 more days. After all that, it gets pushed away to Settings -> General -> About. According to Apple, this new measure only applies to its brand new iPhones and not previous models. Even if it can't be verified as genuine, the display isn't prevented from functioning normally by iOS.
Wireless Networking

Both Apple and Amazon Are Quietly Building Networks That Know the Location of Everything (wired.co.uk) 32

Wired reports on both Sidewalk, Amazon's new low-bandwidth long-range wireless networking protocol, and Apple's new position- and distance-measuring U1 chip (mentioned in a recent keynote). Apple's U1 chip -- which allows precise, indoor positional tracking via the latest iPhones and will power, at the very least, directional AirDrop file-sharing -- popped up on screen but was never even mentioned. The interest-piquing phrase "GPS at the scale of your living room" was saved for the online iPhone product pages rather than the bombast of the Steve Jobs Theater... Both Amazon and Apple have the hardware scale to build up the base of access points needed to create a useful network before reaching out to, most likely, iOS developers in Apple's case, and hardware makers already on board with Alexa in Amazon's case. For Amazon, in fact, that work has already begun as Sidewalk originally came out of the Ring team's ambition to extend its connected security devices out into gardens. "Ring lighting was the first time we ran into it as a company, because we wanted to extend out onto the sidewalk," says Daniel Rausch, VP of smart home at Amazon (which owns Ring).

The smart outoor Ring lights are already out. Products like the Smart Floodlight and Pathlight list a "wireless connection to the Ring Bridge" in the tech specs but eagle-eyed Ring owners had already started to figure out what band Amazon was playing with for this connection, before the Sidewalk announcement. "They've been using an internal version of the protocol on the freely available and unlicensed 900MHz part of the spectrum already," explains Rausch. "What we realised was 'woah, we can actually do something special'. We can make a version of this protocol which is secure and have this unbelievably ubiquitous coverage if we bring it all together, neighbours and neighbours and neighbours...." An innocent smart dog tracker like Ring Fetch fits perfectly into this model of Amazon-networked communities sharing video, alerts and location tracking.

Iphone

New iPhone Feature Can Send Unknown Callers To Voicemail Automatically (economist.com) 104

An anonymous reader quotes the Economist: In its latest software release, Apple has made it possible for iPhone users to send all unknown callers to voicemail automatically.

Although the feature will no doubt prove useful to the millions of customers whose peaceful suppers are ruined by fake calls, it could be disastrous for the faltering public-polling industry. The challenges telephone pollsters face have been growing. Polling by phone has become very expensive, as the number of Americans willing to respond to unexpected or unknown callers has dropped.

Back in the mid-to-late-20th century response rates were as high as 70%, according to SSRS, a market research and polling firm. But the Pew Research Centre estimates that it received completed interviews from a mere 6% of the people it tried to survey in 2018. Although polls with low response rates can still be accurate, their costs increase dramatically as pollsters must spend more time and money calling more people.

Movies

Apple TV Plus Movies Might Hit Theaters Before Streaming Service (cnet.com) 6

Apple is reportedly talking to movie theater chains to try and get its Apple TV Plus movies shown in theaters a few weeks before they hit the streaming service. CNET reports: Apple's apparently hoping to attract established directors and producers to the $5-a-month service, and avoid creating industry tension like Netflix -- Martin Scorcese's The Irishman won't be playing in several theater chains because Netflix wouldn't agree to the usual three-month delay between the movie's theatrical debut and its arrival on streaming. The strategy Apple reportedly is taking mirrors that of Amazon, which gave the Oscar-winning Manchester by the Sea a three-month theatrical run in 2016, the Wall Street Journal noted.

Sofia Coppola's On the Rocks, which stars Rashida Jones and Bill Murray, is one of Apple's first major theatrical releases. It could premiere at the Cannes Film Festival prior to its mid-2020 release, according to the Journal. The Cupertino, California, company also reportedly talked about giving The Elephant Queen, a Chiwetel Ejiofor-narrated documentary about an elephant mother leading her herd across Africa, a theatrical release so it's eligible for awards consideration. It's due to be available on Apple TV Plus at launch on Nov. 1.

Iphone

Apple Considers Using Iconic Logo As a Notification Light, Patent App Suggests (theverge.com) 42

Apple has applied for a patent to use the logo on the back of its phones as a notification light. The patent application, which was first spotted by Apple Insider, outlines how the "adjustable decoration" could respond to events such as "incoming communication" or "a calendar reminder" by changing its appearance or flashing to attract your attention. The Verge reports: The feature makes sense for Apple's products. After all, the company has a history of illuminating its logo on its older MacBooks, even if it dropped the design feature with the laptop's 2015 redesign. It wouldn't be a massive leap for it to bring back its illuminated logo with a little practical functionality added. The application makes frequent references to "cellular telephone" calls as part of its description, which heavily suggests that Apple is considering using the feature on a future iPhone. However, the patent also includes images showing a series of "illustrative electronic devices" including a laptop, a tablet, and what appears to be an iMac.
IOS

New Checkm8 Jailbreak Released For All iOS Devices Running A5 To A11 Chips (zdnet.com) 30

An anonymous reader shares a report: A security researcher has today released a new jailbreak that impacts all iOS devices running on A5 to A11 chipsets -- chips included in all Apple products released between 2011 and 2017. This includes iPhone models from 4S to 8 and X. The jailbreak uses a new exploit named Checkm8 that exploits vulnerabilities in Apple's Bootrom (secure boot ROM) to grant phone owners full control over their device. Axi0mX, the security researcher who published Checkm8 today, told ZDNet he'd worked on the jailbreak all year.
IOS

Alternative iOS App Store Doesn't Require a Jailbreak (engadget.com) 55

Developer Riley Testut is launching an alternative to Apple's App Store, called AltStore, that theoretically lets you "push the boundaries" of iOS without either jailbreaking or worrying that Apple will pull access. Engadget reports: AltStore works by fooling your device into believing that you're a developer sideloading test apps. It uses an app on your Mac or Windows PC to re-sign apps every seven days, using iTunes' WiFi syncing framework to reinstall them on your device before they expire. You only need a free Apple ID (a throwaway will do) to install apps that Apple would never allow, such as Testut's Delta emulator for Nintendo consoles.

In theory, there's not much Apple can do to easily shut things down. It could take down individual accounts, but you could just create another Apple ID if needed. Also, iOS only looks for an excessive number of app provisioning profiles, not the number of apps you have installed. So long as AltStore manages those profiles, Apple doesn't know if you're running one app or twenty. Testut told The Verge that measures to block AltStore would break key functionality for developers or iTunes syncing.
AltStore is available in preview form now, with a formal launch due on September 28th. "People who back Testut's Patreon will also have the option to install almost any app, not just those in the store," the report adds.

Slashdot Top Deals