This morning, Apple released iOS 12.1.4, an incremental update that fixes several security issues including the Group FaceTime eavesdropping bug from last month. The Group FaceTime service has also been re-enabled for devices running iOS 12.1.4 or higher.

The eavesdropping bug, discovered accidentally in January by a 14-year-old from Arizona, caused certain Group FaceTime calls to automatically connect even if the recipient did not answer the call. This flaw allowed macOS or iOS users to be eavesdropped on by any malicious FaceTime user. The bug was disclosed privately to Apple by the teen and his mother at least a week before it went public, but it appears that Apple did not clearly or immediately respond to the bug reports they filed.

Shortly after the bug went viral on January 28th, Apple took the Group FaceTime service offline as a temporary fix before a patch could be released. On February 1st, with Group FaceTime still offline, Apple announced that the bug had been fixed server-side and that a client-side software update to fully resolve the issue would be available the week of February 4th.

Read More

• Major iPhone FaceTime bug lets you hear the audio of the person you are calling … before they pick up – 9to5Mac
• Serious FaceTime bug allows you to listen remotely before anyone answers — Apple to fix ‘later this week’ – The Verge
• Serious FaceTime Bug Lets You Hear a Person’s Audio Before They Answer – MacRumors
• Apple FaceTime privacy vulnerability lets another user listen in – Business Insider

Messages in iCloud, Apple’s hotly anticipated cloud-syncing feature for the Messages app, has arrived on macOS a few days after debuting on iPhone and iPad in iOS 11.4. Messages in iCloud is an aptly named new iCloud feature that allows iMessages and regular SMS messages to live in iCloud rather than be stored locally per-device.

On iPhone, Messages in iCloud is available in iCloud Settings as another small toggle switch and requires two-factor authentication to be active before it can be enabled. Enabling Messages in iCloud can free up space on your device, streamline the process of deleting messages across all your Apple devices, and make it easy to sync your text message history to a new iPhone, iPad, or Mac. However, you may need to upgrade your iCloud storage plan if you like to keep a large amount of old messages and attachments, since iCloud’s 5 GB free tier may not be sufficient for heavy users.

The macOS High Sierra 10.13.5 update brings these new features to the Mac as well as the usual round of security updates. However, rather than being located in the iCloud section of System Preferences, the setting for Messages for iCloud on Mac is located in the Messages app settings pane. Refer to Apple’s official support page for instructions on enabling Messages in iCloud for both Mac and iPhone.

Update 11/29/17: Apple has released an urgent security update patching this vulnerability. Please patch immediately through the App Store if you have a Mac with 10.13.1 High Sierra. See this Apple support article for more information about the patch.

A recently disclosed vulnerability, revealed a few hours ago on Twitter, allows anyone with unprivileged login access to gain root privileges on a Mac running MacOS 10.13 High Sierra. The bug does not appear to affect versions of MacOS released before High Sierra (e.g. 10.12 Sierra, 10.11 El Capitan, etc.).

Exploitation

Exploitation of the bug is dangerously simple. Normally, protected system settings in MacOS can only be “unlocked” by clicking on the padlock icon and entering an administrator password, as shown below:

However, if you enter “root” as the username and leave the password field blank, the current build of MacOS High Sierra will eventually unlock the System Preferences window after a few failed login attempts. In testing, it required two to three failed authentication attempts as root to trigger the bug.

Scarily enough, once the exploit has been performed, the root account can be used at the login screen as a normal MacOS account. Simply clicking “Other User” and entering “root” as the username with no password grants a full MacOS session with root privileges that is capable of modifying system settings, removing and installing software, and viewing all files with no restrictions. It also appears that the exploit can be used remotely if remote access is enabled, removing the need for an attacker to be physically present at the affected Mac.

Behind the Scenes

As mentioned on Twitter, it appears that the exploit enables the built-in root user account but does not set a password for it. This enables anyone on the system to use this newly activated account to gain root privileges.

Mitigation

Update (11/29/17)

Apple has released an urgent security update patching this vulnerability. Please patch immediately through the App Store if you have a Mac with 10.13.1 High Sierra. The patch will appear as “Security Update 2017-001”.

Original Response (11/28/17)

Until Apple releases a fix for the bug, the only current solution is to enable the root user yourself and set a password for it. This prevents exploitation of bug since the root user will not be re-enabled once it has already been set up.

To enable the root user and change the password, go to System Preferences > Users & Groups > Login Options and click “Join” next to “Network Account Server”. In the popup that opens, click “Open Directory Utility” and click “Edit” in the menu bar at the top. From the dropdown menu, select “Enable Root User” and then “Change Root Password”. Directory Utility can also be opened directly from Spotlight.

Important: Simply disabling the root user does not fix the bug, since it can be exploited again to re-enable the account with a blank password. Changing the root password is the only mitigation at this point. Ed: see above for the official patch.

Read More

• The Register: Pro tip: You can log into macOS High Sierra as root with no password
• MacRumors: Here’s How to Temporarily Fix the macOS High Sierra Bug
• The Verge: Major Apple security flaw grants admin access on macOS High Sierra without password
• How-To Geek: Huge macOS Bug Allows Root Login Without a Password. Here’s the Fix

Today I accidentally fell victim to something I knew about but was not watching for, thanks to CNET: adware. Knowing that CNET tends to unethically package junkware with their software downloads, I try my best to avoid them, but I was looking for a discontinued Dashboard widget for a Mac (iStat Pro, to be precise) and the only download I could find was through, of course, CNET. Well, I thought, I’ll take the plunge. I know about adware and can probably avoid any unwanted installations, right?

Unfortunately not. I got distracted at just the wrong time and clicked “Install” when I shouldn’t have. The result: my search engines in Chrome and Safari changed to Yahoo! and a plethora of Spigot adware and toolbars installed on a MacBook that I had just performed a clean install of Mavericks on. Worse yet, I had just signed in to Chrome and so my newly installed and unwanted extensions were now synced with the rest of my computers.

This is truly unacceptable behavior from a site that hosts downloads and even professes to be a reliable source of software. My recommendation is never to use CNET’s downloads again and to avoid any Spigot software. The photo below is the screen that I missed and which contained the options not to install a bunch of junk on my Mac.

(Editor’s note: I brought back this post — one of my originals — for posterity.)

Yes! Now we can search from the address bar! Oh, wait, they ruined the tab layout.

Let’s start with the new, improved address bar. I don’t know if you have ever used Safari 5.1.7, but in that browser the address bar did not double as a search bar. The last browser that I noticed this lack-of-a-feature in was Internet Explorer 7. Happily, this has been corrected in Safari 6.0.2.

One feature that’s been added to Safari 6.0.2 is a new tab bar. I guess that there must be some people who like these new, amorphous, size-changing tabs (the feature got added to the latest version of Safari, after all) but for me it’s a disaster. Besides the size-changing, the tabs are below the address bar so locating them quickly with the mouse is difficult.

The tabs (if you could find the option to show them) were all the same size until they exceeded the space available in the tab bar, like a normal browser. However, they were located below the address bar. For me, this is pretty much a deal-breaker: I usually have between 2-10 tabs open at a time, and with Google Chrome (yes, I am a Chrome user) all I have to do is shoot my cursor up to the top of the screen and move it horizontally to locate a tab. This works on maximized Windows browsers and full screen Mac browsers. Not to single out Chrome; both Firefox and Opera are also like this.

With Safari 5.1.7, I had to orient my cursor on both the horizontal and vertical axis to locate a tab. When I’m trying to work quickly, this is a noticeable difficulty as the tabs are also the same color as the tab bar and don’t stand out well. Safari’s tabs also don’t show the site’s favicon, which makes identifying tabs at a glance difficult.

This tab bar is different, but not better, in Safari 6.0.2. Now, the tabs change sizes to fill up the entire tab bar at any given time. That means that the first tab you open takes up the entire bar, then the second one splits it 50/50, then the third one divides the space by three, and so on. This means that when dealing with many tabs at one time, the tabs confusingly change size and position. Isn’t this why Internet Explorer 8’s tab setup was bad? (On that browser, the first tab was big until you opened another tab, then all the tabs would jump to a smaller, albeit uniform, size.)

Another problem with 6.0.2 that was also around in 5.1.7 – and all previous versions as far as I know – is that it’s difficult to clear browser data. In Chrome, Firefox, and even Opera and Internet Explorer the Clear Browser Data options open up in one view with options to clear download history, empty the cache, delete cookies and other site and plug-in data, and clear saved passwords at the minimum. In Safari, there are different menus for clearing browsing history, cache, and download history, and I’m not sure how to clear saved passwords except through CCleaner, a third-party utility. Also, when I chose to clear history and top sites, the top sites page just reset itself to a bunch of websites I have never or hardly ever visited.

Also, with the release of Safari 6.0.2, it looks like Safari for Windows is over. (Ed: …and the five active users were heartbroken.)

In conclusion: the above article turned out as a pretty scathing review. I’m not trying to say that Safari is a terrible browser, and it has lots of neat and innovative features (such as the 2 finger swipe to move back and forward between pages that literally throws the page to the right or left – I love that feature) and excellent HTML5 support. Unfortunately, the toolbar interface and layout of menus makes it not the right browser for me.