Feedback & Followups
- LastPass are finally forcing users to strengthen their master passwords — krebsonsecurity.com/… (Note that this provides zero protection to what ever was in user’s vaults when the big breach happened last year!)
- Passkeys continue their main-stream rollout – 1Password’s Desktop & iOS/iPadOS (17+) clients, and browser extensions can now use and sync Passkeys cross-platform — blog.1password.com/…
Deep Dive 1 — The LibWebP Bug
TL;DR — if it’s an app that connects to the internet, make sure it’s fully patched!
It turns out that the zero-day bug Apple patched in mid-September that was being used by the NSO group affected a lot more than just Safari.
Apple & Google initially patched and reported the bug as a browser bug, and other Chromium browsers followed suit, but it soon emerged that the problem was much bigger than either browser — it actually lay in a commonly used open source library (LibWebP) that that both the WebKit and Chromium browser engines use. This means that all other open source software that uses the same library needs to be patched too, including Firefox, LibreOffice, and many Linux distributions. Another major open source project that uses LibWebP is the Electron framework for building cross-platform apps, so all those apps need to be patched too, including popular apps like 1Password.
The good news is that the commonly used affected apps have released updates, so most users can protect themselves by patching all of their apps.
In case you’re curious, LibWebP is a codec for the open WebP image format developed by Google. Google describes WebP as:
“… a modern image format that provides superior lossless and lossy compression for images on the web. Using WebP, webmasters and web developers can create smaller, richer images that make the web faster. … WebP lossless images are 26% smaller in size compared to PNGs. WebP lossy images are 25-34% smaller than comparable JPEG images …”
Links
- Risk level 10: Critical security hole affects widespread software — www.pcworld.com/…
- Google assigns new maximum rated CVE to libwebp bug exploited in attacks — www.bleepingcomputer.com/…
- Vulnerability in popular ‘libwebp’ code more widespread than expected — therecord.media/…
- Critical libwebp Vulnerability Under Active Exploitation – Gets Maximum CVSS Score — thehackernews.com/…
Deep Dive 2 — Security & Privacy Highlights in Apple’s New OSes
Now that Apple’s new OSes for the year are out, let’s remind ourselves of the cybersecurity and privacy goodies Apple whetted our appetites for earlier in the summer at WWDC!
Easy Secure Password & Passkey Sharing (within the Apple Ecosystem)
You can now create groups of Apple IDs in the Keychain and share select passwords and passkeys with those groups.
Better Privacy in Safari
First up Safari now supports profiles which effectively allow you to have separate instances of Safari within Safari — you can have one profile where you are logged in to sites with your personal accounts, and another where you are logged in to the same sites with your work accounts. This kind of segregation also lets you segregate particularly secure things like your online finance sites from all your other browsing, and, to stop cross-site tracking by overly curious social media apps like Facebook by trapping them in their own dedicated profiles.
You can now also set a different search engine for private and regular tabs/windows. So, you might be happy to use a more effective but less private search engine like Google most of the time, but when you want to be private, you’ll accept a less effective but tracking-free alternative like Duck Duck Go.
Apple are also continually enhancing the AI the use to thwart tracking of various kinds, and private tabs/windows will now lock themselves when you move away from them, and require your biometrics or password to unlock when you come back to them.
Optional Sensitive Content Protection
Apple have had AI-powered on-device detection and blocking of explicit imagery in the Messages app as a patently control feature for some time now. This year’s new OSes expand the feature to cover more built-in apps (and 3rd-party apps via a new API), and made it available to all users (not just child accounts in a family) as an opt-in feature. Two important features covered by this improved protection are AirDrop and the new Contact Posters.
If you don’t want to see uninvited nude images sent your way, you can enable this protection in the Security & Privacy section of the settings app.
‘Check In’ Makes it Easier to make sure Friends get Home Safe
We’ve described iOS 17’s new Check In feature a few times in this segment already — it’s a new variant of location sharing designed specifically to solve the problem of making sure friends and family get home safely. It adds more appropriate data, automates notifications to save you having to constantly check on progress, and is easy to enable and use, making it more likely people will.
The person doing the travelling starts in the Messages app, by opening/starting a conversation with the person/people they want to check in with, then click the Plus button to see the list of apps, and if it’s not show by default, the More button to see all the available apps, then choose Check In (icon is a yellow oval with a tick mark). That will start a wizard which guides the traveler through some choice to balance privacy with safety, and that’s all there is to it.
NameDrop is Secure-by-Default
There has been some concern expressed that the new NameDrop feature which shares contact information by touching phones together could be abused, but rest assured, Apple have thought this feature through very well, and it’s not possible for anything to get shared without your explicit consent, and you can even choose which sub-set of the fields in your contact card to share.
Touching the phones doesn’t trigger a transfer, it triggers a request to transfer the information, and you can choose to receive only, or to send-and-receive.
Links
- New Security and Privacy Features in macOS Sonoma, iOS 17, and iPadOS 17 — www.intego.com/…
- How to set a unique search engine for private browsing in iOS 17 — appleinsider.com/…
- How to secure NameDrop and keep safe in iOS 17 — appleinsider.com/…
- Safari 17 with enhanced Private Browsing out now for macOS Ventura, macOS Monterey — appleinsider.com/…
- How to block unsolicited [nude] pics in iMessage in iOS 17 — www.cultofmac.com/… (Note from Bart: I’ve sanitised the headline, the original is mildly NSFW)
- Five important iOS 17 security features coming to your iPhone this month — 9to5mac.com/…
- Checklist 345: Privacy, Security, and Sonoma — overcast.fm/…
❗ Action Alerts
- Apple’s new OSes contain security patches as well as new features, but in keeping with Apple’s new normal approach, users who choose not to upgrade immediately can still get the security fixes:
- Apple releases macOS Sonoma 14, Safari 17 with 60+ security updates — www.intego.com/…
- iOS 16.7 arrives for older iPhones and people who don’t want to upgrade — arstechnica.com
- Safari 16.6.1 — tidbits.com/… (for macOS Monterey & BigSur)
- Apple patches Predator-exploited vulnerabilities for iOS, iPadOS, macOS, watchOS — www.intego.com/… (Predator is a competitor to the NSO group’s infamous Pegasus spyware. Note that these are not the LibWebP bugs. Also note no fix for iOS 15 or watchOS 8!)
- Important Note: Update a New iPhone 15 to iOS 17.0.2 Before Transferring from Your Old iPhone — tidbits.com/… (And if you ignore that warning: How to recover from iPhone 15 stuck on Apple logo — appleinsider.com/…)
- Related: How to reset your iPhone before trading in or selling — www.cultofmac.com/…
Worthy Warnings
- A timely reminder to enable MFA/2FA whereever you can: DarkBeam leaks billions of email and password combinations — cybernews.com/… (Ironically DarkBeam are a cybersecurity company, they held the DB to help warm their customers of breaches, like a private Have-I-Been-Pwnd, and they lost the data by accidentally exposing a database and private search engine)
Interesting Insights
- A fascinating interview with the author of a recent exposé on the controversial AI facial recognition company Cearview AI: Fresh Air: Inside The Secretive AI Company That Knows Your Face — overcast.fm/…
Palate Cleansers
- From Bart: A Podcast Binge Recommendation — Patented: History of Inventions — shows.acast.com/…
- The show is going on hiatus, so now is a great time to scroll through their excellent back catalogue and queue up any episodes that take your fancy
- The final episode of this run is simultaneously nothing like the others, and a perfect example of the show’s feel – Dallas ends this first run with the story of a parody/joke-philosophy named Resistentialism, which posits that devices actively resist humans! — Patented: Things vs. Humans – the spiteful behaviour of inanimate objects — overcast.fm/…
- From Allister – an XKCD cartoon about Podcasting botsin.space/…
Legend
When the textual description of a link is part of the link it is the title of the page being linked to, when the text describing a link is not part of the link it is a description written by Bart.
| Emoji | Meaning |
|---|---|
| A link to audio content, probably a podcast. | |
| ❗ | A call to action. |
| flag | The story is particularly relevant to people living in a specific country, or, the organisation the story is about is affiliated with the government of a specific country. |
| A link to graphical content, probably a chart, graph, or diagram. | |
| A story that has been over-hyped in the media, or, “no need to light your hair on fire” | |
| A link to an article behind a paywall. | |
| A pinned story, i.e. one to keep an eye on that’s likely to develop into something significant in the future. | |
| A tip of the hat to thank a member of the community for bringing the story to our attention. |
[…] Security Bits — 1 October 2023 […]