> This update:
> * Addresses an issue that could cause Messages conversations to temporarily be listed out of order
Plus, the Messages bug has been driving me up the wall for weeks, so I'm glad it's fixed.
It doesn't say "fixing messages". It doesn't hint at a high impact CVE. The only mention of any form of "security" is the link to the KB article, which I only caught after I noticed this HN post.
As a software engineer at a software+network security company and in investor in Apple, I'm not impressed. Bottom line: there was no urgency baked into the update description.
For a scary-looking example of what macOS 10.13.3 / iOS 11.2.5 may secretly contain fixes for, take a look at https://twitter.com/ranixch/status/955921380855418882
I found this: https://siguza.github.io/IOHIDeous/
that was published Dec 31.
It took Apple 23 days since it was public before they released a fix.
> The exploit accompanying this write-up consists of three parts:
> poc (make poc)
Targets all macOS versions, crashes the kernel to prove the existence of a memory corruption.
> leak (make leak)
Targets High Sierra, just to prove that no separate KASLR leak is needed.
> hid (make hid)
Targets Sierra and High Sierra (up to 10.13.1, see README), achieves full kernel r/w and disables SIP to prove that the vulnerability can be exploited by any unprivileged user on all recent versions of macOS [!!!!!!!!!]
I wish I could have found something newer, but according to Symantec the average resolution time found in their 2015 study was 69 days. The last time Apple rushed a fix out.. it didn't go so well.
Now, while I'm waxing poetic, I may as well frighten you with a recent RAND corp study about how long Zero Days can be known privately before publicly disclosed . It also doesn't take too long to weaponize them .
This stuff sucks and is really nerve racking for anyone involved in security even tangentially. It's really easy to criticize but I guarantee that anyone on Hacker News who has written any meaningful software has released a security flaw. If you think you haven't you're absolutely kidding yourself and should reevaluate your stance.
Download>Click install>30 seconds later it reboots>Apple logo gray screen I see "installing software updates" and a status bar that gets 25% of the way done and then the screen goes black, fans go high, then a reboot>screen is still black, fans go high, 3 minutes another reboot>screen is still black, fans go high for 30 seconds and now nothing for the past 10 minutes.
Power light is on, caps lock key does light up, the keyboard lighting comes on if I touch keys and I can increase or decrease that lighting with the proper key, but no backlight. WTH?
OMFG, now 15 minutes after starting, more fan noise for about 30 seconds...
So it's still doing something, but with a black screen.
No change 35 minutes after starting the update...
It really pisses me off when Apple buries firmware updates into system software updates. I have no idea if this update contained a firmware update, and whether this problem I'm having now might be a failed firmware update? But I'm pissed off. If Apple wants to prevent me from installing OS updates until I have a firmware update applied, they can do that, but this total lack of disclosure what is being done, and therefore what failed, is really really fucking annoying.
I wonder if there are firmware updates / touchbar updates in here.
Several of the arbitrary code executions are triggerable by processing maliciously crafted web content. There's also a local sandbox bypass.
Not a big deal for user-visible features, a very big deal for security vulnerabilities.
What is taking up that 2.17GB??? Are they just recompiling every shared library or something?
How is it that their updates (even on iOS) are so massive even if they don't include (or need to include) new graphics, etc.
I have personally looked at the accompanying connections and it looks like Apple sends hashes over a proper TLS connection. Updates are also signed as another layer of security.
Luckily it's not that bad for me anymore, but I still sympathise with everyone with slow connection speeds, because you can't "just" download an update.
This feature used to only be in macOS Server but is now in normal macOS too.
I'm in Sydney, at home my fastest option is ADSL2+ which gets me 15-16Mbit on a good day (7-8 if it's rained much recently...)
My ISP contacted me mid last year to offer pre-signups for our "National Broadband Network" on Sept 4th. A couple of months ago it became public that the old HFC cables they were planning to use were completely not up to the task, with major problems reported pretty much everywhere it'd already been rolled out, and they've now stopped and new HFC rollout using that (Optus) coax for at least 9 months.
I _think_ Sydney Australia counts as "the developed world", but even 100Mbit for me right now is at least a year away...
And I don't live in the country either, I'm a 10 minute walk away from a technical university und multiple research institutes.
Why was this downvoted?
If you down vote at least you can comment why.
These are the security updates since Oct:
That's the problem with C, it can't be written securely and these bugs will continue to be fixed for decades.