July 2019: Questions and Answers

Questions were the topic of the evening for the July 16, 2019, Strait Macintosh User Group meeting. The meeting was held at the Sequim Library, 630 N. Sequim Ave., Sequim, WA. Notes by Secretary Kathleen Charters.

Business meeting

The meeting started off with President Sabrina Davis answering questions about recent history, covering such topics as “What happened to our treasury?” [Some former members donated it to Shipley Center, without participation by the current SMUG members or officers, and without holding a meeting.] “What happened to our equipment?”[Donated to Shipley.] and “What do we want to do going forward?”

Going forward, the group decided to hold meetings more or less monthly to get back on track, with the next meeting Tuesday, September 17, at 7 p.m. at the Sequim Public Library. Yes, this means “monthly” doesn’t include August, due to schedule conflicts.

Some members expressed concerns about meeting during the winter months, when it gets dark early and the weather might be unpleasant. This will be discussed some more, as the group is not committed to meeting Tuesday evenings; there are other perfectly good days of the week, and we could meet during daylight hours. We’ll discuss this again in September.

Funds were also an issue. There have been complaints that the new website has advertisements (as some said, “obnoxious ads”) which is a consequence of the free hosting available on WordPress.com. Fixing this, and coming up with a SMUG-specific domain name, would cost money. If we rented space somewhere, that would also cost money; the Library is an excellent location, but the meeting space is quite small (technically, we are supposed to be using only half the space we’ve occupied at the last two meetings).

It was moved, and passed, that dues be set at $24 per year. Treasurer Annalis Schutzmann collected dues from most of those in attendance. [Subsequently, Annalis and Secretary Kathleen Charters set up a SMUG bank account.]

Open Question and Answer (Q&A) session

There were two rules:

  1. The questions had to be about Apple products (hardware or software), and
  2. The questions and responses should take no more than three to four minutes to answer.

Anything more complex will have to be deferred.

Vice President Lawrence Charters conducted the Q&A session.

My Laptop can’t download mojave

Just from looking at the laptop from across the room, it is clear the MacBook Pro has an optical disc drive, which means it is fairly old, as Apple hasn’t shipped a laptop with an optical drive since 2012. As for why Mojave is not supported: Mojave (macOS 10.14) is a 64-bit operating system, and older Macs do not have CPUs (the main “computer”) capable of supporting 64-bit operations. Mojave also uses the video card as if it was another CPU, speeding up not only video but file compression, among other things, and older video cards do not support such operations. Since virtually all Macs, laptop and desktop, have a single circuit board holding the CPU, the video card, and all the supporting chips and circuitry, it isn’t economically or technologically feasible to replace the pieces; a newer machine is the only option.

Incidentally, a “newer” machine does not necessarily mean “brand new.” Apple sells refurbished machines from their websites (with new warranties).

As for why a 64-bit operating system is important: not only are these faster (allowing you to get more speed and efficiency on supported hardware), but they are also much more secure. This is true not only for Macs; iPhones and iPads have been 64-bit-only for several years, and Microsoft is now strongly pushing Windows 10 users to use 64-bit versions of Windows 10. In the Windows world, this has created massive problems, as literally a billion Windows machines are running insecure versions of Windows.

is it wise to beta-test new Mac OS?

Running beta (pre-release) versions of operating systems on your iPhone, iPad, or Mac is only a good idea if a) you have another perfectly useful machine to do important work and b) you are prepared to erase everything on the machine you use for beta-testing. And “erase” means everything: all data, all applications, and the operating system itself. Beta versions of operating systems are intended to test things to see if they break, and, if they do, how they break; they are not designed for you to test drive.

Note, too, that it takes time to download beta versions of operating systems, time to install the software, and sometimes time to reinstall the software, as one of the things being tested is the installer itself. Also, Apple recommends erasing all beta versions of an operating system (which requires erasing the entire drive) before installing the release version. If you do decide to try the beta versions of an operating system, make sure you have an iCloud account with enough room on it to hold everything on your machine — all data, and all applications — as it gives you some chance to recover in case something goes horribly wrong. “Going horribly wrong” is the whole purpose of beta testing.

what about running another operating system from another drive?

You should never try and have two different operating systems installed on the same machine, even if they are on different drives, as this can corrupt the operating systems and your data. When a Mac boots, it scans all connected drives and based on what it finds, it makes changes in memory to accommodate what it thinks is appropriate for the operating system — and these changes could cause damage when you switch back and forth between the two operating systems. It may make changes to whatever drive is not the boot drive — changes in initial boot parameters, changes in which drive is booted first, changes in preferences for applications, etc. — and those changes can corrupt your data, your applications, and either or both operating systems.

After upgrading to high sierra, not able to access files

High Sierra (macOS 10.13) is much more strict about how applications perform, and if an application does things in an insecure fashion, it simply won’t allow the application to launch. High Sierra also changes the file system on the internal drive (on machines with solid-state drives), which also makes all previous disk analysis and disk management utilities obsolete. Most of the changes in High Sierra are focused on speed, efficiency, and particularly security. If your application doesn’t run anymore, you need to upgrade to a later, supported, more secure version.

I’m getting a warning my application is not optimized for operating system

I’ve run this: the scanner software for my Fujitsu scanner is flagged by my Mac as “[This app] is not optimized for your Mac and needs to be updated.” It is essentially a warning that it is a 32-bit application and absolutely will not run under macOS Catalina 10.15, the next version of the Mac operating system. You need to either get the vendor to update the software, or buy a new version, or find a replacement.

[Fortunately, Fujitsu did come out with a free update the next day.]

Is it important to upgrade? Are Macs really vulnerable?

Yes, you should upgrade, and yes, Macs are vulnerable. The biggest reason they are vulnerable: the Mac user “invites” malware onto their machine.

In the past, the largest source of malware (malignant software) on the Mac was Adobe Flash. Adobe has abandoned Flash (in 2017), and because it is no longer supported, it continues to be a problem. Today the most common vulnerability comes through PDFs, (another Adobe product). A PDF document is essentially a program and hackers “tag” PDF documents with programs that can compromise your Mac.

Apple operating system upgrades are free; the alternative is to never connect a device without upgrades to the Internet.

Is there something we can use to protect ourselves?

Generally don’t recommend installing anti-virus software unless you are a teacher, a lawyer, or someone else who gets a constant stream of documents from strangers. The anti-virus packages for Macs are quite good, but generally, the only things they find are Windows viruses, which your Mac ignores.

The best defense is to install the operating system and application updates as they become available. Among other things, this ensures that Gatekeeper is updated. Gatekeeper is Apple’s background technology that automatically (if you keep the operating system updated) downloads profiles of malware and malicious websites. If you try and visit a suspicious website with Safari, Safari will pop up a warning telling you to go away. If you attempt to download a malicious software package, Gatekeeper will put up a warning.

Does gatekeeper only work with Safari?

Yes, Gatekeeper only works with Safari. Chrome, however, has similar technology, and Chrome tests for updates every time you launch it. Speaking of browsers, Microsoft has released a beta version of Microsoft Edge, their browser. Like Chrome, the new Microsoft Edge is based on Chromium, which is Google’s browser technology. Chromium, in turn, was originally based on WebKit, which is Apple’s technology.

If you are interested in the Microsoft Edge beta for the Mac, visit: https://www.microsoftedgeinsider.com/en-us/ Note: this is a beta, so don’t use it for anything critical.

Should I use MacKeeper?

MacKeeper is not something you should have on your Mac. It is heavily advertised, and many people have installed it accidentally. If you have it, get rid of it. MacKeeper does not tell you how to uninstall it; it is complicated and annoying, and once installed, it slows your machine down and constantly prompts you to upgrade to a paid version. Many people have to pay a consultant to remove it. Here are two different sets of instructions for removing it. Pick one or the other, and don’t skip any steps:

https://www.lifewire.com/remove-mackeeper-4150011

https://www.macworld.com/article/2861435/how-to-uninstall-mackeeper-from-your-mac.html

Free software training

The Sequim Library, as part of NOLS (North Olympic Library System), has as part of its service free access to Lynda.com. Lynda.com has some of the best online software courses on how to do everything from using Microsoft Word to how to write code in PHP for building a website. Ask the library for more information; normally, Lynda.com courses are $60 or more apiece.

Have had problems uploading movies from iPhone 5s

The iPhone takes great movies — but movies are much larger than photos. To upload them, you have to spend a lot of time waiting for them to upload. If you are trying to sync them to iCloud, it can also take a long time. You also have to make sure you have enough space in iCloud to hold them.

To check your available space on the iPhone, go to Settings > General > About, and scroll down to Capacity. Just below that is Available, which displays the available space left on the phone.

To check your iCloud space, go to Settings, and right at the top, press on your name, which opens up the Apple ID and iCloud settings. Scroll down to iCloud, press on the link, and you will see the storage capacity at the top. If you only have the free 5 GB account, and it is all in use, you won’t be able to sync video to iCloud.

When uploading video or syncing to iCloud, it is best to do this from home, using your home Wi-Fi, and the iPhone plugged into power. If you try to do this over a cellular connection, you will use up bandwidth in a hurry, and the sync process is slower. Or sometimes not even available as an option.

Speaking of cloud storage, everyone should consider getting a Google Photos account. You can save “unlimited” photos at high resolution, and up to 15 GB of data, for free. Not as well integrated as iCloud, but there is no reason not to sync to both iCloud and Google Photos.

Do you use offsite storage?

There are lots of “cloud backup” vendors. The one Lawrence uses is Backblaze, https://www.backblaze.com

BackBlaze runs a daemon (a Unix background process) that scans for new files and uploads them automatically; Lawrence has 10.5 TB in BackBlaze. It is perfect for disaster planning, protecting your data in case of a local power outage, or theft, or fire, or some other kind of loss.

Since Backblaze is in the cloud, it is not subject to any household or office or even any regional disaster; you can access the backup files from anywhere on the planet that has Internet access. You can restore files from anywhere, even onto a brand-new machine. If you have a lot of data [Lawrence has a lot of data], you can pay Backblaze a deposit and they will ship a hard drive (or multiple hard drives) to you for restoring files to your machine

why is cloud backup a good idea?

iCloud, and other “true” cloud services (Amazon, Google, Microsoft Azure, etc.) replicates data across millions of drives. If one hard drive fails, it automatically re-creates the data on another drive. The big cloud services are also replicated between regions. You can back up your Mac from your home in Sequim, and the cloud service will make copies of the data in other regions, so not even a regional outage will lose data.

While Apple, Amazon, Microsoft, and Google don’t publish any figures on how their infrastructures are built, a 2016 report estimated that Google has 2.5 million servers worldwide. That is a lot of redundancy. Other estimates put the figure at closer to 10 million.

Encryption is another benefit. Apple iCloud is encrypted by default, as is Google Drive (which includes Google Photos). The encryption ensures that you are the only one with access to your data, even in the cloud. In fact, since most people don’t encrypt their laptop or desktop machines, your data may be more secure in the cloud than at home.

Next meeting

The next meeting will be Tuesday, September 17, 2019, at 7 p.m. at the Sequim Library. The topic: A preview of what is coming with macOS Catalina, and if time, information on the new iOS 13 and iPadOS.

Coming soon

Coming soon

Apple WWDC19 was full of wonders

Apple’s World Wide Developer Conference (WWDC) was held earlier today, and Apple made a number of announcements:

New Mac Pro is a highly customizable box.
The new Mac Pro is endlessly customizable, offering huge amounts of memory, storage, video power, etc. There is even a rack-mounted version, in case you want a small herd of these for crunching vast herds of bits and bytes.
  • iOS 13 is aimed at being much faster, even on existing hardware, and is bringing Dark Mode to the small screen, along with outstanding security and privacy;
  • iPad software is being split off from the iPhone to a new iPadOS, with features that take advantage of the vastly larger screen;
  • the Mac Pro returns, in a powerful 28-core monster;
  • Apple returns to the display business with an exotic Pro Display XDR;
  • watchOS 6 will add new health and fitness metrics and capabilities, and new watch faces;
  • tvOS 13 will allow multiple user profiles, so you can watch what you want, and listen to what you want;
  • macOS Catalina returns to the California coast, and splits iTunes apart with separate apps for Apple Music, podcasts, and Apple TV;
  • another huge change to macOS Catalina is Sidecar, a built-in capability to use your iPad as an additional screen of your Mac, and use iPad capabilities — such as the pen — with your Mac;
  • accessibility changes, to macOS, iOS, and iPadOS, promise to vastly expand what can be done by those with vision, hearing, or mobility limitations, including both the very young and the very old.
iPadOS showing Dark Mode and something more than apps on the home screen.
New iPadOS showing Dark Mode and the ability to display information on the home screen.

You can watch the keynote (a bit more than two hours) here.

Tapping the Apple Watch face will soon allow you to record a voice memo.
Soon you will be able to record a voice memo on your Apple Watch with just a tap.

Most people will never own a Mac Pro; fully equipped with the new Pro Display XDR, you could buy a decent car — a new car — for the same price, or less. But almost everyone with an Apple device will benefit from iOS 13, iPadOS, tvOS 13, watchOS 6, and macOS Catalina. In particular, the accessibility features, and the vastly expanded iPad capabilities, are worth a long, thoughtful look. And the security and privacy features built into the new operating systems — all the operating systems — are extraordinary.

The programming tools will roll out immediately, with the finished iPhone, iPad, watch, TV, and Mac operating systems coming out in the fall. The Mac Pro and Pro Monitor will be out “this fall,” but you can sign up to be notified when they are getting close.

An iPhone Note in Dark Mode, with an option to send an email notification directly from the Note.
iPhone Notes in Dark Mode, with the option of sending an email notification directly from the note.

Since this is the World Wide Developers conference, there was also a presentation on coding, and it was impressive. While GUI (Graphical User Interface) programming has been touted for a couple decades, the reality is that complex programming is almost entirely based on thousands, or millions, of lines of text-only code. But with the forthcoming Xcode 11, you really can drag-and-drop large chunks of graphical elements, and large chunks of code, into your application code. And Apple has vastly reduced the code barriers between macOS and iOS apps with new technology that lets you very quickly, and fairly painlessly, transform an iOS app into a Macintosh application in just a few days.

Xcode 11 will offer drag-and-drop programming, and you can code for a Watch, Apple TV, Mac, iPad or iPhone by just selecting an option at the start of the project -- and little more.
Code on the left, with a live preview of the result on the right, compliments of the new Xcode 11.

Safari 12.1.1 security update

Apple released a security update for Safari, Safari 12.1.1, on May 13, 2019. This security update applies to macOS Sierra, macOS High Sierra, and macOS Mojave, and is included with the security updates for these operating systems released on May 13, 2019. You can subscribe to Apple security announcements at https://lists.apple.com/mailman/listinfo/security-announce/


APPLE-SA-2019-5-13-5 Safari 12.1.1

Safari 12.1.1 is now available and addresses the following:

WebKit
Available for: macOS Sierra 10.12.6, macOS High Sierra 10.13.6, and
included in macOS Mojave 10.14.5
Impact: Processing maliciously crafted web content may result in the
disclosure of process memory
Description: An out-of-bounds read was addressed with improved input
validation.
CVE-2019-8607: Junho Jang and Hanul Choi of LINE Security Team

WebKit
Available for: macOS Sierra 10.12.6, macOS High Sierra 10.13.6, and
included in macOS Mojave 10.14.5
Impact: Processing maliciously crafted web content may lead to
arbitrary code execution
Description: Multiple memory corruption issues were addressed with
improved memory handling.
CVE-2019-6237: G. Geshev working with Trend Micro Zero Day
Initiative, Liu Long of Qihoo 360 Vulcan Team
CVE-2019-8571: 01 working with Trend Micro’s Zero Day Initiative
CVE-2019-8583: sakura of Tencent Xuanwu Lab, jessica (@babyjess1ca_)
of Tencent Keen Lab, and dwfault working at ADLab of Venustech
CVE-2019-8584: G. Geshev of MWR Labs working with Trend Micro Zero
Day Initiative
CVE-2019-8586: an anonymous researcher
CVE-2019-8587: G. Geshev working with Trend Micro Zero Day Initiative
CVE-2019-8594: Suyoung Lee and Sooel Son of KAIST Web Security &
Privacy Lab and HyungSeok Han and Sang Kil Cha of KAIST SoftSec Lab
CVE-2019-8595: G. Geshev from MWR Labs working with Trend Micro Zero
Day Initiative
CVE-2019-8596: Wen Xu of SSLab at Georgia Tech
CVE-2019-8597: 01 working with Trend Micro Zero Day Initiative
CVE-2019-8601: Fluoroacetate working with Trend Micro’s Zero Day
Initiative
CVE-2019-8608: G. Geshev working with Trend Micro Zero Day Initiative
CVE-2019-8609: Wen Xu of SSLab, Georgia Tech
CVE-2019-8610: Anonymous working with Trend Micro Zero Day Initiative
CVE-2019-8611: Samuel Groß of Google Project Zero
CVE-2019-8615: G. Geshev from MWR Labs working with Trend Micro’s
Zero Day Initiative
CVE-2019-8619: Wen Xu of SSLab at Georgia Tech and
Hanqing Zhao of Chaitin Security Research Lab
CVE-2019-8622: Samuel Groß of Google Project Zero
CVE-2019-8623: Samuel Groß of Google Project Zero
CVE-2019-8628: Wen Xu of SSLab at Georgia Tech and
Hanqing Zhao of Chaitin Security Research Lab

Additional recognition

Safari
We would like to acknowledge Michael Ball of Gradescope by Turnitin
for their assistance.

Installation note:

Safari 12.1.1 may be obtained from the Mac App Store.

Information will also be posted to the Apple Security Updates
web site: https://support.apple.com/kb/HT201222

macOS Mojave 10.14.5 security update

Apple released a security update on May 13 that updated Mojave from macOS 10.14.4 to 10.14.5, updated High Sierra (macOS 10.13) with Security Update 2019-003, and updates Sierra (macOS 10.12) with Security Update 2019-003. You can subscribe to Apple security announcements at https://lists.apple.com/mailman/listinfo/security-announce/


APPLE-SA-2019-5-13-2 macOS Mojave 10.14.5, Security Update
2019-003 High Sierra, Security Update 2019-003 Sierra

macOS Mojave 10.14.5, Security Update 2019-003 High Sierra,
Security Update 2019-003 Sierra are now available and
addresses the following:

Accessibility Framework
Available for: macOS Sierra 10.12.6, macOS Mojave 10.14.4
Impact: An application may be able to read restricted memory
Description: A validation issue was addressed with improved input
sanitization.
CVE-2019-8603: Phoenhex and qwerty (@_niklasb, @qwertyoruiopz,
@bkth_) working with Trend Micro’s Zero Day Initiative

AMD
Available for: macOS Mojave 10.14.4
Impact: An application may be able to execute arbitrary code with
system privileges
Description: A memory corruption issue was addressed with improved
memory handling.
CVE-2019-8635: Lilang Wu and Moony Li of TrendMicro Mobile Security
Research Team working with Trend Micro’s Zero Day Initiative

Application Firewall
Available for: macOS Sierra 10.12.6, macOS Mojave 10.14.4
Impact: An application may be able to execute arbitrary code with
kernel privileges
Description: A logic issue was addressed with improved restrictions.
CVE-2019-8590: The UK’s National Cyber Security Centre (NCSC)

CoreAudio
Available for: macOS Sierra 10.12.6
Impact: Processing a maliciously crafted audio file may lead to
arbitrary code execution
Description: A memory corruption issue was addressed with improved
error handling.
CVE-2019-8592: riusksk of VulWar Corp working with Trend Micro’s Zero
Day Initiative

CoreAudio
Available for: macOS Mojave 10.14.4
Impact: Processing a maliciously crafted movie file may lead to
arbitrary code execution
Description: An out-of-bounds read was addressed with improved input
validation.
CVE-2019-8585: riusksk of VulWar Corp working with Trend Micro’s Zero
Day Initiative

DesktopServices
Available for: macOS Mojave 10.14.4
Impact: A malicious application may bypass Gatekeeper checks
Description: This issue was addressed with improved checks.
CVE-2019-8589: Andreas Clementi, Stefan Haselwanter, and Peter
Stelzhammer of AV-Comparatives

Disk Images
Available for: macOS Sierra 10.12.6
Impact: An application may be able to read restricted memory
Description: A validation issue was addressed with improved input
sanitization.
CVE-2019-8560: Nikita Pupyshev of Bauman Moscow State Technological
University

Disk Images
Available for: macOS Mojave 10.14.4
Impact: A malicious application may be able to read restricted memory
Description: An out-of-bounds read was addressed with improved bounds
checking.
CVE-2019-8560: Nikita Pupyshev of Bauman Moscow State Technological
University

EFI
Available for: macOS Mojave 10.14.4
Impact: A user may be unexpectedly logged in to another user’s
account
Description: An authentication issue was addressed with improved
state management.
CVE-2019-8634: Jenny Sprenger and Maik Hoepfel

Intel Graphics Driver
Available for: macOS Mojave 10.14.4
Impact: An application may be able to execute arbitrary code with
system privileges
Description: A memory corruption issue was addressed with improved
memory handling.
CVE-2019-8616: Lilang Wu and Moony Li of Trend Micro Mobile Security
Research Team working with Trend Micro’s Zero Day Initiative

Intel Graphics Driver
Available for: macOS Sierra 10.12.6, macOS Mojave 10.14.4
Impact: An application may be able to execute arbitrary code with
system privileges
Description: A memory initialization issue was addressed with
improved memory handling.
CVE-2019-8629: Arash Tohidi of Solita Oy

IOAcceleratorFamily
Available for: macOS Sierra 10.12.6
Impact: An application may be able to execute arbitrary code with
system privileges
Description: A memory corruption issue was addressed with improved
memory handling.
CVE-2018-4456: Tyler Bohan of Cisco Talos

IOKit
Available for: macOS Sierra 10.12.6, macOS Mojave 10.14.4
Impact: A local user may be able to load unsigned kernel extensions
Description: A validation issue existed in the handling of symlinks.
This issue was addressed with improved validation of symlinks.
CVE-2019-8606: Phoenhex and qwerty (@_niklasb, @qwertyoruiopz,
@bkth_) working with Trend Micro’s Zero Day Initiative

Kernel
Available for: macOS Sierra 10.12.6, macOS Mojave 10.14.4
Impact: A malicious application may be able to execute arbitrary code
with system privileges
Description: A use after free issue was addressed with improved
memory management.
CVE-2019-8605: Ned Williamson working with Google Project Zero

Kernel
Available for: macOS Mojave 10.14.4
Impact: A local user may be able to cause unexpected system
termination or read kernel memory
Description: An out-of-bounds read was addressed with improved bounds
checking.
CVE-2019-8576: Brandon Azad of Google Project Zero, unho Jang and
Hanul Choi of LINE Security Team

Kernel
Available for: macOS Sierra 10.12.6, macOS Mojave 10.14.4
Impact: An application may be able to cause unexpected system
termination or write kernel memory
Description: A type confusion issue was addressed with improved
memory handling.
CVE-2019-8591: Ned Williamson working with Google Project Zero

Security
Available for: macOS Sierra 10.12.6, macOS Mojave 10.14.4
Impact: An application may be able to execute arbitrary code with
system privileges
Description: A memory corruption issue was addressed with improved
memory handling.
CVE-2019-8604: Fluoroacetate working with Trend Micro’s Zero Day
Initiative

SQLite
Available for: macOS Mojave 10.14.4
Impact: An application may be able to gain elevated privileges
Description: An input validation issue was addressed with improved
memory handling.
CVE-2019-8577: Omer Gull of Checkpoint Research

SQLite
Available for: macOS Mojave 10.14.4
Impact: A maliciously crafted SQL query may lead to arbitrary code
execution
Description: A memory corruption issue was addressed with improved
input validation.
CVE-2019-8600: Omer Gull of Checkpoint Research

SQLite
Available for: macOS Mojave 10.14.4
Impact: A malicious application may be able to read restricted memory
Description: An input validation issue was addressed with improved
input validation.
CVE-2019-8598: Omer Gull of Checkpoint Research

SQLite
Available for: macOS Mojave 10.14.4
Impact: A malicious application may be able to elevate privileges
Description: A memory corruption issue was addressed by removing the
vulnerable code.
CVE-2019-8602: Omer Gull of Checkpoint Research

StreamingZip
Available for: macOS Mojave 10.14.4
Impact: A local user may be able to modify protected parts of the
file system
Description: A validation issue existed in the handling of symlinks.
This issue was addressed with improved validation of symlinks.
CVE-2019-8568: Dany Lisiansky (@DanyL931)

sysdiagnose
Available for: macOS Sierra 10.12.6, macOS Mojave 10.14.4
Impact: An application may be able to execute arbitrary code with
system privileges
Description: A memory corruption issue was addressed with improved
memory handling.
CVE-2019-8574: Dayton Pidhirney (@_watbulb) of Seekintoo (@seekintoo)

Touch Bar Support
Available for: macOS Sierra 10.12.6
Impact: An application may be able to execute arbitrary code with
system privileges
Description: A memory corruption issue was addressed with improved
memory handling.
CVE-2019-8569: Viktor Oreshkin (@stek29)

WebKit
Available for: macOS Mojave 10.14.4
Impact: Processing maliciously crafted web content may lead to
arbitrary code execution
Description: Multiple memory corruption issues were addressed with
improved memory handling.
CVE-2019-6237: G. Geshev working with Trend Micro Zero Day
Initiative, Liu Long of Qihoo 360 Vulcan Team
CVE-2019-8571: 01 working with Trend Micro’s Zero Day Initiative
CVE-2019-8583: sakura of Tencent Xuanwu Lab, jessica (@babyjess1ca_)
of Tencent Keen Lab, and dwfault working at ADLab of Venustech
CVE-2019-8584: G. Geshev of MWR Labs working with Trend Micro Zero
Day Initiative
CVE-2019-8586: an anonymous researcher
CVE-2019-8587: G. Geshev working with Trend Micro Zero Day Initiative
CVE-2019-8594: Suyoung Lee and Sooel Son of KAIST Web Security &
Privacy Lab and HyungSeok Han and Sang Kil Cha of KAIST SoftSec Lab
CVE-2019-8595: G. Geshev from MWR Labs working with Trend Micro Zero
Day Initiative
CVE-2019-8596: Wen Xu of SSLab at Georgia Tech
CVE-2019-8597: 01 working with Trend Micro Zero Day Initiative
CVE-2019-8601: Fluoroacetate working with Trend Micro’s Zero Day
Initiative
CVE-2019-8608: G. Geshev working with Trend Micro Zero Day Initiative
CVE-2019-8609: Wen Xu of SSLab, Georgia Tech
CVE-2019-8610: Anonymous working with Trend Micro Zero Day Initiative
CVE-2019-8611: Samuel Groß of Google Project Zero
CVE-2019-8615: G. Geshev from MWR Labs working with Trend Micro’s
Zero Day Initiative
CVE-2019-8619: Wen Xu of SSLab at Georgia Tech and
Hanqing Zhao of Chaitin Security Research Lab
CVE-2019-8622: Samuel Groß of Google Project Zero
CVE-2019-8623: Samuel Groß of Google Project Zero
CVE-2019-8628: Wen Xu of SSLab at Georgia Tech and
Hanqing Zhao of Chaitin Security Research Lab

WebKit
Available for: macOS Mojave 10.14.4
Impact: Processing maliciously crafted web content may result in the
disclosure of process memory
Description: An out-of-bounds read was addressed with improved input
validation.
CVE-2019-8607: Junho Jang and Hanul Choi of LINE Security Team

Additional recognition

CoreFoundation
We would like to acknowledge Vozzie and Rami and m4bln, Xiangqian
Zhang, Huiming Liu of Tencent’s Xuanwu Lab for their assistance.

Kernel
We would like to acknowledge an anonymous researcher for their
assistance.

PackageKit
We would like to acknowledge Csaba Fitzl (@theevilbit) for their
assistance.

Safari
We would like to acknowledge Michael Ball of Gradescope by Turnitin
for their assistance.

System Preferences
We would like to acknowledge an anonymous researcher for their
assistance.

Installation note:

macOS Mojave 10.14.5, Security Update 2019-003 High Sierra,
Security Update 2019-003 Sierra may be obtained from the
Mac App Store or Apple’s Software Downloads web site:
https://support.apple.com/downloads/

Information will also be posted to the Apple Security Updates
web site: https://support.apple.com/kb/HT201222

April 2019: Web browsers

Strait Macintosh User’s Group (SMUG)
April 2, 2019

Meeting: 7:00 p.m. to 8:00 p.m. at St. Luke’s Episcopal Church, Sequim

Meeting called to order by President Sabrina Davis and Vice President Lawrence Charters.

Two outstanding board positions, Treasurer and Secretary, remained to be filled. By unanimous vote, Analiss Schutzman was elected Treasurer and Kathleen Charters elected Secretary.

There was a discussion of the need for better communications. The SMUG forum had a note that the meeting was canceled and the organization dissolved, but at the last meeting in December, no such motions were entertained, and the February meeting was canceled due to show. Most attendees found out about the meeting either through direct contact with the President or Vice President, or through an announcement posted on Next Door (https://nextdoor.com/).

At present, there are no plans to charge for membership in 2019. The domain name and Internet hosting fees for the website are paid through 2019, with the only remaining expense being room rental for meetings. The membership voted to pay the room rental on a yearly basis, and to reimburse Sabrina for paying out of pocket for the April meeting rental.

It was also agreed that meetings would continue every other month in Sequim. If attendance and conditions warrant, more frequent meetings may be adopted.

Meeting topic: Web browsers

Lawrence Charters did a live, interactive presentation on the World Wide Web in general, with a particular emphasis on web security and privacy. The web began in 1990, with an experiment at the European Organization for Nuclear Research (CERN, from the French Conseil européen pour la recherche nucléaire). Tim Berners-Lee developed a prototype web server on a NeXT computer, and it started serving out pages over the Internet in 1991. It rapidly eclipsed or replaced Gopher, FTP, newsgroups, and other Internet sources of information, and now the most widely used communications medium in history.

At its foundation, the web is based on text. As an example, this curl command (curl is built in to macOS) will fetch the opening page from the National Ocean Service website:

Capturing the first page of the National Ocean Service site using curl.
Capturing the first page of the National Ocean Service website using curl and macOS Terminal. Click on image for a larger view.

These elements of code are assembled by your web browser (Safari, Chrome, Firefox, etc.) into something (usually) much more useful: shopping sites, encyclopedias, dating sites, travel maps, etc.

Incidentally, email messages — even ones with graphics and sound and video — are also based on text. The text is assembled by your email client into discrete messages that look more like paper-based letters.

Because of abusive practices on the web, Google and Apple have been pushing hard for increased security and privacy. Safari on your Mac shows a lock icon when visiting an encrypted site; Google will show a lock in the location bar, and if visiting an insecure site, will display “Not Secure” right next to the URL.

It doesn’t matter if a site “sells” something; Apple and Google, and more recently Microsoft, want you to visit only encrypted sites. An unencrypted site can be easily compromised to, among other things, pass malware to your computer, or be used to “impersonate” a site.

With an encrypted site, anything you send between your device and the website is encrypted; it can’t be intercepted and read, or intercepted and modified. Google Chrome and Apple Safari also check the encryption certificates of a site to ensure that a) the certificate is valid and b) it is for the site it claims to represent.

Apple and Google also maintain a blacklist of sites that are known to be harmful. Apple does this through Gatekeeper, which is a combination of technologies that, among other things, periodically downloads a list of domains that your will refuse to visit. Google does this dynamically; every Chrome URL request checks with Google’s list of blacklisted sites.

Because of the security risks, Google also “downrates” sites that are not encrypted, pushing them down their rating results to discourage visits. Similarly, Apple does not allow iOS apps to make unencrypted web connections. These and other measures have resulted in a very rapid change to make encrypted websites (https and not http) the default on the web. There are still hundreds of millions of unencrypted sites; avoid them.

The easiest way to protect your Mac or iOS device: stay current with system and security updates.

In response to a question, Lawrence explained one major security difference between iOS devices and Android devices. Apple directly updates iOS (iPhone, iPad, iPod) devices. In the Android world, with one major exception, you need to go through your phone company. What this means: if you are on T-Mobile, or AT&T, or Verizon, or whatever, you can update your iPhone by just asking your device to do a software update, or responding to a prompt sent by Apple. But with almost all Android devices, the updates come directly from Verizon, T-Mobile, AT&T, etc., and while the device might theoretically qualify for a security update, the phone companies generally will not provide updates; they expect you to buy a new phone if you want an update. The exception: Google updates their Pixel devices directly.

Lawrence strongly recommended that everyone use long (15 characters or more), unique passwords for everything on the Internet. No password, for anything, should be reused somewhere else. To keep track of the passwords, use Apple’s Key Chain (free, and shared between iOS and Mac) or 1Password (paid, but much easier to understand and organize).

Don’t worry about “complex” passwords (use one upper case, one lower case, one symbol, one number) password. The important thing is to make them unique, and long; the longer the better. Spaces, by the way, count as a character.

Good: Kim Jong-un is a nutcase

Too short, and much harder to type correctly: K1mJ0Ng-nUTs

Passwords that are hard to type are easy to compromise because people tend to reuse them, or leave notes reminding themselves how to type them.

There were many more questions and topics than time available, so at the June meeting we will continue with:

Web security and privacy

While there are no privacy laws in the US, the European Union has imposed fairly demanding privacy laws, and as US companies want to do business with the EU, improved privacy is rapidly improving on major US websites. But individuals ultimately have the most control over their own privacy and security. We’ll talk about that in June.