Most active commenters
  • wannacboatmovie(6)
  • (5)
  • acdha(4)
  • chris_wot(3)
  • wtallis(3)
  • danieldk(3)
  • TekMol(3)
  • vetinari(3)

Apple Confirms Zero-Day Attacks Hitting macOS Systems

(www.securityweek.com)
261 points fortran77 | 99 comments | 20 Nov 24 00:26 UTC | HN request time: 4.646s | source | bottom
1. acdha ◴[20 Nov 24 00:43 UTC] No.42189685[source]
Interesting that they’re mentioned as only being exploited on Intel. Has anyone seen whether that’s because the attacker only targeted that platform or is it actually stopped by something like pointer protection?
replies(3): >>42189761 #>>42189809 #>>42189932 #
2. dataflow ◴[20 Nov 24 00:56 UTC] No.42189761[source]
It might just be that the only machines they have information about are Intel? It doesn't say how many data points they have, but if it's only a handful then it's not at all surprising.
replies(1): >>42190376 #
3. justinclift ◴[20 Nov 24 01:02 UTC] No.42189809[source]
Doesn't seem to completely line up that they're rushing out iOS updates (ie for phones, etc) for something they're saying they've only confirmed on Intel cpus.

Unless they're assuming it's exploitable on Apple Silicon as well, or are being extra careful just in case.

replies(7): >>42189876 #>>42189883 #>>42190175 #>>42190448 #>>42190733 #>>42190776 #>>42190850 #
4. 2muchcoffeeman ◴[20 Nov 24 01:16 UTC] No.42189876{3}[source]
There must be millions of Intel Macs still around. Why wouldn’t they update it?
replies(2): >>42189894 #>>42189940 #
5. oddevan ◴[20 Nov 24 01:17 UTC] No.42189883{3}[source]
> Unless they're... being extra careful just in case.

That's where my money is.

replies(2): >>42190127 #>>42190431 #
6. shepherdjerred ◴[20 Nov 24 01:18 UTC] No.42189894{4}[source]
The parent comment said that Apple is rushing iOS updates. iOS is the operating system for iPhones which use Apple Silicon rather than Intel processors.
7. ngneer ◴[20 Nov 24 01:25 UTC] No.42189932[source]
I came to ask this very question. Could be an Intel hardware bug, but then we would see an advisory from Intel. So, it must be a different issue. Apple probably did not realize that their advisory implicates Intel components rather than Apple components.
8. wannacboatmovie ◴[20 Nov 24 01:26 UTC] No.42189940{4}[source]
Well for starters, they stopped providing any updates for many perfectly functional Intel Macs years ago for no other reason than planned obsolescence. A side effect of the "they make both the hardware and software that's why it's better" paradigm.

Things like OpenCore Legacy Patcher prove it's possible; they just don't want to.

I don't think anyone feels entitled to new features in perpetuity. Security updates only would be fine thank you.

Don't tell me the richest company in the world can't pay for a couple of developers who just want to rest and vest to take care of and test the legacy platforms. A cushy job and you keep the customers happy.

Ironically the best way to stay safe on these computers is to install Windows or Linux.

replies(2): >>42190072 #>>42190100 #
9. timeon ◴[20 Nov 24 01:34 UTC] No.42189990[source]
Does this affect Firefox/Chrome on macOS?
replies(2): >>42190242 #>>42190432 #
10. StressedDev ◴[20 Nov 24 01:46 UTC] No.42190072{5}[source]
Software needs longer support life cycles in general. I find it frustrating that organizations do not support operating systems, hardware, and applications for at least 10 years. Note Apple is one of the better organizations on this. Consumer router companies are notorious for shipping unpatched software. Here is what I would like to see:

1. All hardware and software should come with a highly visible end of support date.

2. All hardware and software should notify people when it is no longer receiving security patches. It should also explain to users why running unpatched software or hardware is dangerous.

replies(2): >>42190425 #>>42191523 #
11. threeseed ◴[20 Nov 24 01:51 UTC] No.42190100{5}[source]
Sequoia is supported on most Intel Macs going back to 2018.

And it's far more than just a "couple of developers" to support older operating systems.

replies(4): >>42190136 #>>42190288 #>>42190415 #>>42190652 #
12. ajross ◴[20 Nov 24 01:54 UTC] No.42190127{4}[source]
Or they just don't know. Full analysis of an exploit usually takes days to weeks. It's possible it's only exploitable on x86, but equally possible that only the x86 version of the payload was discovered in the wild.
replies(1): >>42190542 #
13. chris_wot ◴[20 Nov 24 01:55 UTC] No.42190136{6}[source]
Not on Macbook Airs that are only 3-5 years old though. We have a number that we plan on replacing after EOY, but we are still using for now. Can't get Sequoia.
replies(3): >>42190167 #>>42190514 #>>42200877 #
14. password4321 ◴[20 Nov 24 01:59 UTC] No.42190167{7}[source]
Not really suitable for a corporate environment but in case you weren't aware:

https://github.com/dortania/OpenCore-Legacy-Patcher

macOS Big Sur and newer on machines as old as 2007

macOS Big Sur, Monterey, Ventura, Sonoma and Sequoia

replies(1): >>42190310 #
15. alphabetting ◴[20 Nov 24 02:02 UTC] No.42190173[source]
>The vulnerabilities, credited to Google’s TAG (Threat Analysis Group)

Do they find these by monitoring the brokers of zero days or analyzing devices of people who are being targeted?

replies(4): >>42190208 #>>42190296 #>>42190299 #>>42192485 #
16. tedunangst ◴[20 Nov 24 02:02 UTC] No.42190175{3}[source]
It's not unheard of for exploits to target two or more bugs.
17. wutwutwat ◴[20 Nov 24 02:09 UTC] No.42190208[source]
little of column a, little of column b

they also have insane peering and backbone network infra, run one of the largest cloud providers, host basically everyone's email, documents, and file storage, chat, app store, and have a native browser installed

I'm sure they have many different signals they can look at to see compromised type behavior differing from the profile they have on you

18. ◴[20 Nov 24 02:15 UTC] No.42190242[source]
19. fouc ◴[20 Nov 24 02:25 UTC] No.42190288{6}[source]
my favorite Intel MacBook is from 2015
20. myHNAccount123 ◴[20 Nov 24 02:26 UTC] No.42190296[source]
I suspect firebase crashlytics is the source of many
21. ledoge ◴[20 Nov 24 02:26 UTC] No.42190299[source]
There's actually a very recent talk about this! https://www.youtube.com/watch?v=2zrcemxCg4Y
replies(1): >>42193241 #
22. chris_wot ◴[20 Nov 24 02:29 UTC] No.42190310{8}[source]
Nice. Yeah, never going to fly here :( pity
23. grupthink ◴[20 Nov 24 02:39 UTC] No.42190361[source]
I have a perfectly functional iPad 5 that no longer receives software updates. It'd be cool if Apple would at least give it security updates, or allow alternative browser engines that don't have this vulnerability. If my iPad gets pwned, my day is going to suck.
replies(3): >>42190441 #>>42190450 #>>42193284 #
24. acdha ◴[20 Nov 24 02:42 UTC] No.42190376{3}[source]
That’s what I was wondering: if this is like some of those Citizen Lab reports it might simply be that they have a small number of targeted individuals who noticed something and reported it.
25. wannacboatmovie ◴[20 Nov 24 02:49 UTC] No.42190415{6}[source]
You act as if we should be thankful for 6 years of support when the hardware and sane support cycles easily exceed 10 years. And those aren't 6 years of security updates; they are 6 years of forced yearly feature upgrades and breaking things along the way.
replies(1): >>42190490 #
26. wannacboatmovie ◴[20 Nov 24 02:51 UTC] No.42190425{6}[source]
To my knowledge Apple has never published EOL or support dates in the future. Someone correct me if something has changed in the last few years.
replies(1): >>42190513 #
27. ruthmarx ◴[20 Nov 24 02:52 UTC] No.42190431{4}[source]
Why? Putting a lot of stock in Apple's various protections?
28. bigiain ◴[20 Nov 24 02:52 UTC] No.42190432[source]
I'd guess yes, since they're both (due to Apple rules) basically wrappers around webkit and JavaScriptCore. (Modulo the possible hint that this is just an Intel-based Mac systems problem)
replies(3): >>42190442 #>>42190451 #>>42190460 #
29. Jtsummers ◴[20 Nov 24 02:54 UTC] No.42190442{3}[source]
> I'd guess yes, since they're both (due to Apple rules) basically wrappers around webkit and JavaScriptCore.

That is not true for macOS which is what GP asked about.

30. bigiain ◴[20 Nov 24 02:56 UTC] No.42190448{3}[source]
> Apple is aware of a report that this issue may have been actively exploited on Intel-based Mac systems.

Is kinda weasel-wordy, if you read it with sufficient cynicism.

Its doesn't rule out them also being aware of reports (or actual instances) of it being exploited on iOS or Apple silicon Macs.

It _might_ actually mean "Apple could not deny in a lawsuit that it's been sent a report of this being exploited on Intel Macs."

replies(3): >>42190680 #>>42190962 #>>42191576 #
31. Jtsummers ◴[20 Nov 24 02:57 UTC] No.42190450[source]
iPadOS 16 was at least updated 3 months ago (August) so there's a chance you could still get a security update if it's applicable to that version. iPadOS 15 was updated in July.

https://en.wikipedia.org/wiki/IPadOS_version_history

32. mdavidn ◴[20 Nov 24 02:57 UTC] No.42190451{3}[source]
While that is true on iOS, macOS has no such restriction on Firefox or Chrome.
33. pram ◴[20 Nov 24 02:58 UTC] No.42190460{3}[source]
macOS != iOS, Firefox uses Gecko.
34. fn-mote ◴[20 Nov 24 03:06 UTC] No.42190490{7}[source]
What software are you talking about?

Who is forcing you to upgrade?

For that matter, what hardware?

I run an old Intel Mac and it’s perfectly reasonable for casual work. I’m not paying for stuff like Adobe leases though.

replies(1): >>42192751 #
35. wtallis ◴[20 Nov 24 03:11 UTC] No.42190513{7}[source]
https://support.apple.com/en-us/102772 outlines "vintage" and "obsolete" status for hardware products, with a few exceptions. I'm not aware of a similarly straightforward criteria or comprehensive list for software support periods.
replies(3): >>42190577 #>>42190671 #>>42191439 #
36. phony-account ◴[20 Nov 24 03:11 UTC] No.42190514{7}[source]
> Macbook Airs that are only 3-5 years old

MacBook Airs from 2020 support Sequoia - so just the very upper limit of your range is relevant.

replies(1): >>42191696 #
37. ◴[20 Nov 24 03:14 UTC] No.42190537{3}[source]
38. 486sx33 ◴[20 Nov 24 03:16 UTC] No.42190542{5}[source]
Rosetta2 runs an x86 exploit? Doesn’t explain iOS but still sounds interesting!
replies(1): >>42191707 #
39. wannacboatmovie ◴[20 Nov 24 03:24 UTC] No.42190577{8}[source]
The issue with passing off a list of vintage products as some kind of past tense support schedule is by definition products become vintage when they are added to the list at some arbitrary date.

My expectation is a table of OS versions and EOL dates published in advance. Like nearly every other responsible OS vendor in existence. Apple continuing to get a pass on this in 2024 is abhorrent.

replies(1): >>42190627 #
40. wtallis ◴[20 Nov 24 03:38 UTC] No.42190627{9}[source]
> The issue with passing off a list of vintage products as some kind of past tense support schedule is by definition products become vintage when they are added to the list at some arbitrary date.

If you read some of the text above the product list, you'll see that Apple does publish guidelines about when products can be expected to be added to the list:

> Products are considered vintage when Apple stopped distributing them for sale more than 5 and less than 7 years ago.

> Products are considered obsolete when Apple stopped distributing them for sale more than 7 years ago. Monster-branded Beats products are considered obsolete regardless of when they were purchased.

> Apple discontinues all hardware service for obsolete products, and service providers cannot order parts for obsolete products. Mac laptops may be eligible for an extended battery-only repair period for up to 10 years from when the product was last distributed for sale, subject to parts availability.

So as you can see, it's not arbitrary or unpredictable when a product is going to show up on the vintage product list. The only unpredictable or obscure part of this process is finding out how long an outdated product was still being sold after its successor launched.

replies(1): >>42190933 #
41. brian_cunnie ◴[20 Nov 24 03:43 UTC] No.42190652{6}[source]
Agreed. It takes more than a few developers to support older operating systems.

At my old job we supported only two versions of our software product, Tanzu Operations Manager versions 2.10.x and 3.0.y), and we cut new patch releases every few weeks (similar to Apple's cadence). Bumping dependencies was a pain. Well, usually it went fine, but sometimes you'd hit a gnarly incompatibility and you'd either pin a Ruby package to a known version or try to modify the code just enough to make it work without making a major change.

If I had to put a number to it, I'd say it cost us 2 developers to keep our older product line consistently patched, and our product was a modest Ruby app, much less complicated than an entire OS.

replies(1): >>42191831 #
42. philistine ◴[20 Nov 24 03:49 UTC] No.42190671{8}[source]
That list relates strictly to hardware repairs. Vintage macs have often been fully supported software-wise.
replies(1): >>42190715 #
43. duxup ◴[20 Nov 24 03:50 UTC] No.42190680{4}[source]
Or they’re just not able to confirm it everywhere but feel the code change is necessary regardless?

I’ve certainly addressed a potential issue with code that I thought might have occurred even when I couldn’t confirm it with 100% certainty.

A detailed analysis / testing and confirmation that provides certainty may take longer than addressing code.

44. stephen_g ◴[20 Nov 24 03:51 UTC] No.42190688{3}[source]
It's probably because the first bit isn't really true (iPads have a longer supported life than many Android tablets, for example I updated my 2018 iPad Pro with the most recent iPadOS 18.1.1 including this security fix earlier today). And given that the silly joke falls flat.

The iPad 5 in question from the OP supports iPadOS 16 and that last got a security update in August of this year. So if it hasn't got an update today then possibly the vulnerability was only introduced in iOS / iPadOS 17.

45. wtallis ◴[20 Nov 24 03:59 UTC] No.42190715{9}[source]
Yes, I'm fully aware that the support article I linked to is specifically about hardware support—that's why I mentioned that there isn't a similar list for software support.
46. saagarjha ◴[20 Nov 24 04:04 UTC] No.42190733{3}[source]
This just means the bug is in WebKit and they shipped the fix to every platform.
47. saagarjha ◴[20 Nov 24 04:07 UTC] No.42190740{3}[source]
I can assure you that the toilet paper is much more comfortable than dollar bills.
48. initplus ◴[20 Nov 24 04:14 UTC] No.42190776{3}[source]
Will be an underlying safety issue in some system library, but they have only seen "in the wild" exploits targeting Intel. "Defence in depth" - better to push the bugfix to all than to scrutinize ARM security features to understand if an exploit is possible there as well.
49. SoftTalker ◴[20 Nov 24 04:35 UTC] No.42190850{3}[source]
Sometimes problems manifest differently on different architectures. It's one of the advantages of building for more than just one: it shakes out bugs. Doesn't mean you don't fix the root issue in all builds.

Apple for the most part has one codebase that they build for their different architectures. They've been doing this since the NeXT days when they supported Motorola, Intel, Sparc, and maybe a couple of other architectures.

50. wannacboatmovie ◴[20 Nov 24 04:56 UTC] No.42190933{10}[source]
Ok, but this is an Apples vs oranges comparison. (Carlos!)

We are talking about software support here.

The vintage products list is specifically targeting hardware support; e.g. how long Apple will keep spare parts in stock. After a set number of years they purge stock and you are SOL going to Chinese third party vendors and places like iFixit for batteries etc.

replies(1): >>42192741 #
51. brookst ◴[20 Nov 24 05:03 UTC] No.42190962{4}[source]
If you read it with enough cynicism, it doesn’t rule out Apple having actual knowledge that it was exploited to steal every last bit of information from every Mac, iPhone, iPad, iPod, Apple TV, and Apple II ever produced.
52. brookst ◴[20 Nov 24 05:06 UTC] No.42190979{3}[source]
Meta meta: comments making vague complaints about other comments being downvoted, typically get downvoted.
53. consumerx ◴[20 Nov 24 06:32 UTC] No.42191294[source]
that's why you turn on Lockdown Mode or swap to Linux completely :)
replies(3): >>42191303 #>>42191474 #>>42192584 #
54. leoh ◴[20 Nov 24 06:34 UTC] No.42191303[source]
I have got to believe that there are some nasty zero days for linux
replies(1): >>42191345 #
55. rswail ◴[20 Nov 24 06:35 UTC] No.42191308[source]
Interesting that I had a security update for iOS (18.1.1) and a Safari update for MacOS (still running Sonoma)
replies(1): >>42193697 #
56. proxynoproxy ◴[20 Nov 24 06:45 UTC] No.42191345{3}[source]
The advantage of everyone running the same software and hardware platform is that you can concentrate on hardening that one system. The disadvantage is that vulnerability is universal.

The advantage of everyone running a disparate environment of many of different libraries and binaries is that vulnerability is likely unique. The disadvantage is there are many more opportunities for the researcher to find vulnerability in the mess.

Choose your poison, the only secure system is powered down.

replies(1): >>42192576 #
57. danieldk ◴[20 Nov 24 07:08 UTC] No.42191439{8}[source]
Samsung nowadays tells you ahead of time how long a phone will get major updates and security updates. I think it's the same with Google Pixel. And they have a list of models and their release schedules:

https://security.samsungmobile.com/workScope.smsb

My qualm with them is though that not all devices are updated at the same time (like iOS/iPadOS/macOS). One phone may get an update the 10th of the month, while another only gets it the 30th. As a result, there is often quite a large window where vulnerabilities are known, but not yet patched (it's even worse with the cheap models that only get quarterly updates).

58. TekMol ◴[20 Nov 24 07:13 UTC] No.42191458[source]
The article sounds like it also applies to iOS

    The company urged users across the Apple
    ecosystem to apply the urgent iOS 18.1.1,
    macOS Sequoia 15.1.1 and the older iOS 17.7.2.
And that it is web based

    maliciously crafted web content may lead
    to arbitrary code execution
Has this happened before? That iPhones had a security hole that could be exploited over the web?
replies(5): >>42191532 #>>42191533 #>>42191570 #>>42191597 #>>42192845 #
59. danieldk ◴[20 Nov 24 07:16 UTC] No.42191474[source]
I love Linux, but this is really a cheap shot. Out of the box, desktop security is much better on the Mac. Slim boot ROM in place of UEFI (which can be backdoored), no always-running Intel ME/AMD PSP, fully verified boot chain, sealed system volumes, heavy use of a secure enclave to protect secrets, mandatory sandboxing for App Store apps, malware checks through XProtect, limited access of apps to key folders (Desktop, Documents, iCloud Drive), limited access to privacy-sensitive devices (camera, mic), etc.

Linux will get there, but currently macOS is much more secure as a desktop.

replies(2): >>42192772 #>>42193574 #
60. tgv ◴[20 Nov 24 07:22 UTC] No.42191507[source]
And what's your advice when there's a threat for Linux?
replies(2): >>42191867 #>>42192574 #
61. pjmlp ◴[20 Nov 24 07:24 UTC] No.42191523{6}[source]
Which is why having cybersecurity laws and liability in computing is so relevant.
62. e28eta ◴[20 Nov 24 07:25 UTC] No.42191532[source]
Absolutely. I don’t follow the scene, but early in the iphone’s product life I distinctly remember a web-based jailbreak, where you loaded a page and then you could ‘slide to jailbreak’. I don’t know if user action was strictly required, or if it was a UX thing.
replies(1): >>42192094 #
63. kafrofrite ◴[20 Nov 24 07:25 UTC] No.42191533[source]
> Has this happened before? That iPhones had a security hole that could be exploited over the web? Yes, there were exploits in the past that could be exploited remotely, including some that were used for jailbreaking.
64. hutattedonmyarm ◴[20 Nov 24 07:34 UTC] No.42191570[source]
> Has this happened before? That iPhones had a security hole that could be exploited over the web?

IIRC yes. Back around maybe iOS 4-6ish a web-based jailbreak existed, don't remember exactly when

65. kafrofrite ◴[20 Nov 24 07:36 UTC] No.42191576{4}[source]
Most probably what Apple means is that since their codebase is shared, the vulnerability exists across devices. This does not mean that the vulnerability is actively exploited in iOS nor that it will not be actively exploited as part of some other campaign.
66. iknowstuff ◴[20 Nov 24 07:41 UTC] No.42191597[source]
https://www.jailbreakme.com/
replies(1): >>42191638 #
67. hyder_m29 ◴[20 Nov 24 07:48 UTC] No.42191638{3}[source]
I'm assuming we don't click that link if we're on iPhones?
replies(1): >>42191683 #
68. imp0cat ◴[20 Nov 24 07:56 UTC] No.42191683{4}[source]

    This site is very old by now and does not support recent firmware, but you can still use it.

    JailbreakMe is the easiest way to free your device. Experience iOS as it could be, fully customizable, themeable, and with every tweak you could possibly imagine.

    Safe and completely reversible (just restore in iTunes), jailbreaking gives you control over the device you own. It only takes a minute or two, and as always, it's completely free.

    Please make an iTunes backup before jailbreaking.
69. wannacboatmovie ◴[20 Nov 24 07:59 UTC] No.42191696{8}[source]
Absolutely not. Apple was still selling non-Retina Intel MacBook Airs until 2019. Those are now completely unsupported with no security updates having topped out at Monterrey. 5 years of updates on a new laptop is borderline criminal.
70. ◴[20 Nov 24 08:03 UTC] No.42191707{6}[source]
71. justinclift ◴[20 Nov 24 08:28 UTC] No.42191831{7}[source]
> new patch releases every few weeks (similar to Apple's cadence)

Is Apply really releasing new patched OS updates every few weeks?

72. TekMol ◴[20 Nov 24 09:16 UTC] No.42192094{3}[source]
Shouldn't that lead to a massive amount of iPhones being broken into?

If not, why?

If so, what happened to all those phones?

I never hear stories like "My iPhone was broken into and this happened: ..."

replies(4): >>42192219 #>>42192481 #>>42192531 #>>42192745 #
73. TheDong ◴[20 Nov 24 09:38 UTC] No.42192219{4}[source]
Why would it?

Do you regularly visit "hot-iphone-porn-apps.info" and other untrusted sites? Do you expect sites you do visit, like "google.com" or such, are going to serve up malware?

Do you expect hackers who build these very labor-intensive exploit chains will want to try and hit as many low-value targets as possible, leading to apple patching the exploit quickly, or to try and hit high-value targets only so it's not noticed by apple as quickly and can be used against more high-value targets to make more money in total than doing a "spray and pray" with it?

What thought process do you think would lead to using the exploit against as many people as possible vs selling it to zerodium.com or a similar company for more money than you can get from spraying, and then zerodium reselling it to israel to hack into the iphones of a few key palestinians?

replies(3): >>42192501 #>>42193156 #>>42193646 #
74. phillypham ◴[20 Nov 24 10:20 UTC] No.42192481{4}[source]
It used to be possible to break into iPhones by sending just a text message without the target clicking on anything.

The only thing that kept this under control was there was an agreement to not target US-based numbers and the exploit was expensive.

Reference: The Battle for the World’s Most Powerful Cyberweapon https://www.nytimes.com/2022/01/28/magazine/nso-group-israel... and https://en.wikipedia.org/wiki/Pegasus_(spyware)

replies(1): >>42192761 #
75. xorcist ◴[20 Nov 24 10:21 UTC] No.42192485[source]
Both, but also a lot of original research. They are public about this.
76. TekMol ◴[20 Nov 24 10:23 UTC] No.42192501{5}[source]
You are implying that the web based exploits in the history of iOS were not publicly known but only available to very few.

If that holds true, that would be an importent addition to the discussion.

The comment I replied to was about a public website that could jailbreak an iPhone though.

77. throwaway290 ◴[20 Nov 24 10:27 UTC] No.42192531{4}[source]
How are you sure your phone was not broken into? Do you think some big alert magically appears?
78. ◴[20 Nov 24 10:34 UTC] No.42192574{3}[source]
79. notactuallyben ◴[20 Nov 24 10:34 UTC] No.42192576{4}[source]
Vulnerabilities in the Linux kernel would have a similar impact to a macOS kernel bug. It’s a myth that “more eyes means more secure” for OSS ;-) - it can be true, but often that’s not the reason
80. fsflover ◴[20 Nov 24 10:36 UTC] No.42192584[source]
You probably mean to Qubes OS.
81. tim333 ◴[20 Nov 24 10:37 UTC] No.42192590[source]
gosh, 18 years ago https://youtu.be/sdF5IsyOxU4
82. vetinari ◴[20 Nov 24 11:04 UTC] No.42192741{11}[source]
Not really; vintage macs turning obsolete are being dropped from the macOS support very reliably. I.e. the 2015 mbp was dropped from 2022 macos release like on the clock.
83. pwagland ◴[20 Nov 24 11:05 UTC] No.42192745{4}[source]
Because most people apply the software updates at some point, and this was fixed many years ago. Everything sold in the last years comes with a version of iOS that isn't vulnerable anymore.
84. vetinari ◴[20 Nov 24 11:07 UTC] No.42192751{8}[source]
What exactly is an old Intel mac and what is a casual work?

For example, I have 2015 macbook pro. The last macos release for it is Monterey. Even brew has problems with that, erroring out when installing packages like libpng and complaining, that I should upgrade xcode cli tools. Which I can't.

85. pwagland ◴[20 Nov 24 11:08 UTC] No.42192761{5}[source]
Not quite, from the Wikipedia:

> Pegasus' iOS exploitation was identified in August 2016. Emirati human rights defender Ahmed Mansoor received a text message promising "secrets" about torture happening in prisons in the United Arab Emirates by following a link. Mansoor sent the link to Citizen Lab of the University of Toronto, which investigated, with the collaboration of Lookout, finding that if Mansoor had followed the link it would have jailbroken his phone and implanted the spyware into it, in a form of social engineering.

So the link was sent via text message, but you had to click on it. Receiving the text message did nothing in and of itself.

replies(1): >>42192930 #
86. vetinari ◴[20 Nov 24 11:11 UTC] No.42192772{3}[source]
Half of the stuff you names is security from you, not security for you.
replies(1): >>42194467 #
87. ThePowerOfFuet ◴[20 Nov 24 11:23 UTC] No.42192845[source]
Sounds like those who don't use Safari on macOS are less exposed.
88. phillypham ◴[20 Nov 24 11:38 UTC] No.42192930{6}[source]
Initial versions were one-click. The attack became more sophisticated and became zero-click.

See https://en.wikipedia.org/wiki/Pegasus_(spyware)#Development_... for timeline.

See https://en.wikipedia.org/wiki/Pegasus_(spyware)#Saudi_Arabia for the iMessage version.

89. ceejayoz ◴[20 Nov 24 12:09 UTC] No.42193156{5}[source]
> Do you expect sites you do visit, like "google.com" or such, are going to serve up malware?

Absolutely. One of the main reasons to run an adblocker. Malicious ads slip through regularly onto entirely reputable sites.

90. tonfa ◴[20 Nov 24 12:19 UTC] No.42193241{3}[source]
I also found a recent article: https://www.nzz.ch/english/googles-spyware-hunters-track-sta...
91. zarzavat ◴[20 Nov 24 12:23 UTC] No.42193284[source]
Apple really cares about saving the planet so they will graciously allow you to recycle your working iPad and buy a new one.
92. ◴[20 Nov 24 12:25 UTC] No.42193301[source]
93. adrian_b ◴[20 Nov 24 13:03 UTC] No.42193574{3}[source]
While in general you are right, you should not forget that almost one year ago it has been revealed that the "Apple Silicon" CPUs had a hardware backdoor that had been exploited for years by malicious entities (i.e. some unprotected test registers that allowed the attacker to bypass the memory protection and gain complete control remotely, through the sending of an invisible message, without any chance of being detected by the owner; the complete exploit had used a chain of bugs in the Apple system libraries, together with the hardware backdoor).

Such a hardware backdoor is rather more severe than most of what has ever been discovered on non-Apple devices.

As long as the main protection of the Apple devices consists mostly in their lack of detailed technical documentation, one can never know whether other such hardware backdoors exist.

replies(1): >>42193716 #
94. acdha ◴[20 Nov 24 13:12 UTC] No.42193646{5}[source]
> Do you expect sites you do visit, like "google.com" or such, are going to serve up malware?

With absolute certainty. Google ads has triggered downloads of Windows executables on NYtimes.com for me before and I am confident attackers will keep trying. The idea that advertisers get to run JavaScript on clients makes that problem effectively unwinnable even though they spend considerable amounts trying to make it hard to slip dodgy code into ads.

95. hrvstr ◴[20 Nov 24 13:18 UTC] No.42193697[source]
Hmm, may I ask what version you are running now? I am on Sonoma too and don't see any updates. The apple support page lists macOS Sonoma 14.7.1 as the most recent version released on 28 Oct 2024. https://support.apple.com/en-us/100100
96. acdha ◴[20 Nov 24 13:21 UTC] No.42193716{4}[source]
Do you have a reference for that? It doesn’t sound like GoFetch, which is the closest on timing.
97. danieldk ◴[20 Nov 24 15:00 UTC] No.42194467{4}[source]
You can turn pretty much all of it off, disable SIP, boot Linux, whatever you like.

Good security is layered. For example, even with a sandbox escape, and app could not read your full Documents directory, modify the OS, or install a firmware-level rootkit.

98. chris_wot ◴[21 Nov 24 03:42 UTC] No.42200877{7}[source]
I see the Mac fanboys aren't happy with my factual statement. I love Macs (won't use anything else) but I also live in reality.