{"id":29482,"date":"2023-10-01T15:13:50","date_gmt":"2023-10-01T22:13:50","guid":{"rendered":"https:\/\/www.podfeet.com\/blog\/?p=29482"},"modified":"2023-10-01T15:13:50","modified_gmt":"2023-10-01T22:13:50","slug":"sb-2023-10-01","status":"publish","type":"post","link":"https:\/\/www.podfeet.com\/blog\/2023\/10\/sb-2023-10-01\/","title":{"rendered":"Security Bits \u2014 1 October 2023"},"content":{"rendered":"<h2>Feedback &amp; Followups<\/h2>\n<aside class=\"small-aside\">Listener and community feedback, developments in recently covered stories, and developments in long-running stories we&#8217;re tracking over time.<\/aside>\n<ul>\n<li>LastPass are finally forcing users to strengthen their master passwords \u2014 <a href=\"https:\/\/krebsonsecurity.com\/2023\/09\/lastpass-horse-gone-barn-bolted-is-strong-password\/\">krebsonsecurity.com\/\u2026<\/a> (Note that this provides <strong>zero<\/strong> protection to what ever was in user&#8217;s vaults when the big breach happened last year!)<\/li>\n<li>Passkeys continue their main-stream rollout \u2013 1Password&#8217;s Desktop &amp; iOS\/iPadOS (17+) clients, and browser extensions can now use and sync Passkeys cross-platform \u2014 <a href=\"https:\/\/blog.1password.com\/save-use-passkeys-web-ios\/\">blog.1password.com\/\u2026<\/a><\/li>\n<\/ul>\n<h2>Deep Dive 1 \u2014 The LibWebP Bug<\/h2>\n<p><strong>TL;DR \u2014 if it&#8217;s an app that connects to the internet, make sure it&#8217;s fully patched!<\/strong><\/p>\n<p>It turns out that the zero-day bug Apple patched in mid-September that was being used by the NSO group affected a lot more than just Safari.<\/p>\n<p>Apple &amp; Google initially patched and reported the bug as a browser bug, and other Chromium browsers followed suit, but it soon emerged that the problem was much bigger than either browser \u2014 it actually lay in a commonly used open source library (<a href=\"https:\/\/github.com\/webmproject\/libwebp\">LibWebP<\/a>) that that both the WebKit and Chromium browser engines use. This means that all other open source software that uses the same library needs to be patched too, including Firefox, LibreOffice, and many Linux distributions. Another major open source project that uses LibWebP is the Electron framework for building cross-platform apps, so all those apps need to be patched too, including popular apps like 1Password.<\/p>\n<p>The good news is that the commonly used affected apps have released updates, so most users can protect themselves by patching all of their apps.<\/p>\n<p>In case you&#8217;re curious, LibWebP is a codec for the open <a href=\"https:\/\/en.wikipedia.org\/wiki\/WebP\">WebP image format<\/a> developed by Google. <a href=\"https:\/\/developers.google.com\/speed\/webp\">Google describes WebP<\/a> as:<\/p>\n<blockquote><p>\n  &#8220;\u2026 a modern image format that provides superior lossless and lossy compression for images on the web. Using WebP, webmasters and web developers can create smaller, richer images that make the web faster. \u2026 WebP lossless images are 26% smaller in size compared to PNGs. WebP lossy images are 25-34% smaller than comparable JPEG images \u2026&#8221;\n<\/p><\/blockquote>\n<h3>Links<\/h3>\n<ul>\n<li><a href=\"https:\/\/www.pcworld.com\/article\/2083926\/highest-alert-level-security-vulnerability-affects-apps-like-telegram-and-1password.html\">Risk level 10: Critical security hole affects widespread software \u2014 www.pcworld.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/google-assigns-new-maximum-rated-cve-to-libwebp-bug-exploited-in-attacks\/\">Google assigns new maximum rated CVE to libwebp bug exploited in attacks \u2014 www.bleepingcomputer.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/therecord.media\/libwebp-vulnerability-more-widespread-than-expected\">Vulnerability in popular \u2018libwebp\u2019 code more widespread than expected \u2014 therecord.media\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/thehackernews.com\/2023\/09\/new-libwebp-vulnerability-under-active.html\">Critical libwebp Vulnerability Under Active Exploitation &#8211; Gets Maximum CVSS Score \u2014 thehackernews.com\/\u2026<\/a><\/li>\n<\/ul>\n<h2>Deep Dive 2 \u2014 Security &amp; Privacy Highlights in Apple&#8217;s New OSes<\/h2>\n<p>Now that Apple&#8217;s new OSes for the year are out, let&#8217;s remind ourselves of the cybersecurity and privacy goodies Apple whetted our appetites for earlier in the summer at WWDC!<\/p>\n<h3>Easy Secure Password &amp; Passkey Sharing (within the Apple Ecosystem)<\/h3>\n<p>You can now create groups of Apple IDs in the Keychain and share select passwords and passkeys with those groups.<\/p>\n<h3>Better Privacy in Safari<\/h3>\n<p>First up Safari now supports <strong>profiles<\/strong> which effectively allow you to have separate instances of Safari within Safari \u2014 you can have one profile where you are logged in to sites with your personal accounts, and another where you are logged in to the same sites with your work accounts. This kind of segregation also lets you segregate particularly secure things like your online finance sites from all your other browsing, and, to stop cross-site tracking by overly curious social media apps like Facebook by trapping them in their own dedicated profiles.<\/p>\n<p>You can now also set a different search engine for private and regular tabs\/windows. So, you might be happy to use a more effective but less private search engine like Google most of the time, but when you want to be private, you&#8217;ll accept a less effective but tracking-free alternative like Duck Duck Go.<\/p>\n<p>Apple are also continually enhancing the AI the use to thwart tracking of various kinds, and private tabs\/windows will now lock themselves when you move away from them, and require your biometrics or password to unlock when you come back to them.<\/p>\n<h3>Optional Sensitive Content Protection<\/h3>\n<p>Apple have had AI-powered on-device detection and blocking of explicit imagery in the Messages app as a patently control feature for some time now. This year&#8217;s new OSes expand the feature to cover more built-in apps (and 3rd-party apps via a new API), and made it available to all users (not just child accounts in a family) as an opt-in feature. Two important features covered by this improved protection are AirDrop and the new Contact Posters.<\/p>\n<p>If you don&#8217;t want to see uninvited nude images sent your way, you can enable this protection in the Security &amp; Privacy section of the settings app.<\/p>\n<h2>&#8216;Check In&#8217; Makes it Easier to make sure Friends get Home Safe<\/h2>\n<p>We&#8217;ve described iOS 17&#8217;s new Check In feature a few times in this segment already \u2014 it&#8217;s a new variant of location sharing designed specifically to solve the problem of making sure friends and family get home safely. It adds more appropriate data, automates notifications to save you having to constantly check on progress, and is easy to enable and use, making it more likely people will.<\/p>\n<p>The person doing the travelling starts in the Messages app, by opening\/starting a conversation with the person\/people they want to check in with, then click the Plus button to see the list of apps, and if it&#8217;s not show by default, the More button to see all the available apps, then choose Check In (icon is a yellow oval with a tick mark). That will start a wizard which guides the traveler through some choice to balance privacy with safety, and that&#8217;s all there is to it.<\/p>\n<h3>NameDrop is Secure-by-Default<\/h3>\n<p>There has been some concern expressed that the new NameDrop feature which shares contact information by touching phones together could be abused, but rest assured, Apple have thought this feature through very well, and it&#8217;s not possible for anything to get shared without your explicit consent, and you can even choose which sub-set of the fields in your contact card to share.<\/p>\n<p>Touching the phones doesn&#8217;t trigger a transfer, it triggers a <strong>request<\/strong> to transfer the information, and you can choose to receive only, or to send-and-receive.<\/p>\n<h3>Links<\/h3>\n<ul>\n<li><a href=\"https:\/\/www.intego.com\/mac-security-blog\/new-security-and-privacy-features-in-macos-sonoma-ios-17-and-ipados-17\/\">New Security and Privacy Features in macOS Sonoma, iOS 17, and iPadOS 17 \u2014 www.intego.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/appleinsider.com\/inside\/ios-17\/tips\/how-to-set-a-unique-search-engine-for-private-browsing-in-ios-17\">How to set a unique search engine for private browsing in iOS 17 \u2014 appleinsider.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/appleinsider.com\/inside\/ios-17\/tips\/how-to-secure-namedrop-and-keep-safe-in-ios-17\">How to secure NameDrop and keep safe in iOS 17 \u2014 appleinsider.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/appleinsider.com\/articles\/23\/09\/26\/safari-17-with-enhanced-private-browsing-out-now-for-macos-ventura-macos-monterey\">Safari 17 with enhanced Private Browsing out now for macOS Ventura, macOS Monterey \u2014 appleinsider.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/www.cultofmac.com\/821076\/how-to-block-nude-images-in-imessage\/\">How to block unsolicited [nude] pics in iMessage in iOS 17 \u2014 www.cultofmac.com\/\u2026<\/a> (<strong>Note from Bart:<\/strong> I&#8217;ve sanitised the headline, the original is mildly NSFW)<\/li>\n<li><a href=\"https:\/\/9to5mac.com\/2023\/09\/14\/ios-17-security-features\/\">Five important iOS 17 security features coming to your iPhone this month \u2014 9to5mac.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/overcast.fm\/+HLr4oFpW0\">Checklist 345: Privacy, Security, and Sonoma \u2014 overcast.fm\/\u2026<\/a><\/li>\n<\/ul>\n<h2>\u2757 Action Alerts<\/h2>\n<aside class=\"small-aside\">Calls to action, if any stories in this section are relevant to you there is some action you should take.<\/aside>\n<ul>\n<li>Apple&#8217;s new OSes contain security patches as well as new features, but in keeping with Apple&#8217;s new normal approach, users who choose not to upgrade immediately can still get the security fixes:\n<ul>\n<li><a href=\"https:\/\/www.intego.com\/mac-security-blog\/apple-releases-macos-sonoma-14-safari-17-with-60-security-updates\/\">Apple releases macOS Sonoma 14, Safari 17 with 60+ security updates \u2014 www.intego.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/arstechnica.com\/?p=1970394\">iOS 16.7 arrives for older iPhones and people who don\u2019t want to upgrade \u2014 arstechnica.com<\/a><\/li>\n<li><a href=\"https:\/\/tidbits.com\/watchlist\/safari-16-6-1\/\">Safari 16.6.1 \u2014 tidbits.com\/\u2026<\/a> (for macOS Monterey &amp; BigSur)<\/li>\n<li><a href=\"https:\/\/www.intego.com\/mac-security-blog\/apple-patches-predator-exploited-vulnerabilities-for-ios-ipados-macos-watchos\/\">Apple patches Predator-exploited vulnerabilities for iOS, iPadOS, macOS, watchOS \u2014 www.intego.com\/\u2026<\/a> (<em>Predator<\/em> is a competitor to the NSO group&#8217;s infamous <em>Pegasus<\/em> spyware. Note that these are not the LibWebP bugs. Also note <strong>no fix for iOS 15 or watchOS 8<\/strong>!)<\/li>\n<li><strong>Important Note:<\/strong> <a href=\"https:\/\/tidbits.com\/2023\/09\/22\/update-a-new-iphone-15-to-ios-17-0-2-before-transferring-from-your-old-iphone\/\">Update a New iPhone 15 to iOS 17.0.2 Before Transferring from Your Old iPhone \u2014 tidbits.com\/\u2026<\/a> (And if you ignore that warning: <a href=\"https:\/\/appleinsider.com\/articles\/23\/09\/22\/how-to-recover-from-iphone-15-stuck-on-apple-logo\">How to recover from iPhone 15 stuck on Apple logo \u2014 appleinsider.com\/\u2026<\/a>)<\/li>\n<li><strong>Related:<\/strong> <a href=\"https:\/\/www.cultofmac.com\/829232\/reset-iphone-before-trading-or-selling\/\">How to reset your iPhone before trading in or selling \u2014 www.cultofmac.com\/\u2026<\/a><\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<h2>Worthy Warnings<\/h2>\n<aside class=\"small-aside\">Potentially relevant warnings from government organisations, public interest groups, or the security community.<\/aside>\n<ul>\n<li>A timely reminder to enable MFA\/2FA whereever you can: <a href=\"https:\/\/cybernews.com\/security\/darkbeam-data-leak\/\">DarkBeam leaks billions of email and password combinations \u2014 cybernews.com\/\u2026<\/a> (Ironically DarkBeam are a cybersecurity company, they held the DB to help warm their customers of breaches, like a private Have-I-Been-Pwnd, and they lost the data by accidentally exposing a database and private search engine)<\/li>\n<\/ul>\n<h2>Interesting Insights<\/h2>\n<aside class=\"small-aside\">High-quality opinion and editorial content recommended by Bart.<\/aside>\n<ul>\n<li>A fascinating interview with the author of a recent expos\u00e9 on the controversial AI facial recognition company Cearview AI: <a href=\"https:\/\/overcast.fm\/+Ys_nQTtaA\">Fresh Air: Inside The Secretive AI Company That Knows Your Face \u2014 overcast.fm\/\u2026<\/a><\/li>\n<\/ul>\n<h2>Palate Cleansers<\/h2>\n<aside class=\"small-aside\">Anything upbeat and nerdy Bart and\/or Allison think you might enjoy.<\/aside>\n<ul>\n<li><strong>From Bart:<\/strong> A Podcast Binge Recommendation \u2014 <a href=\"https:\/\/shows.acast.com\/patented-history-of-inventions\/episodes\/things-vs-humans-the-spiteful-behaviour-of-inanimate-objects\">Patented: History of Inventions \u2014 shows.acast.com\/\u2026<\/a>\n<ul>\n<li>The show is going on hiatus, so now is a great time to scroll through their excellent back catalogue and queue up any episodes that take your fancy<\/li>\n<li>The final episode of this run is simultaneously nothing like the others, and a perfect example of the show&#8217;s <em>feel<\/em> \u2013 Dallas ends this first run with the story of a parody\/joke-philosophy named <em>Resistentialism<\/em>, which posits that devices actively resist humans! \u2014 <a href=\"https:\/\/overcast.fm\/+34myl8rJs\">Patented: Things vs. Humans &#8211; the spiteful behaviour of inanimate objects \u2014 overcast.fm\/\u2026<\/a><\/li>\n<\/ul>\n<\/li>\n<li><strong>From Allister<\/strong> &#8211; an XKCD cartoon about Podcasting <a href=\"https:\/\/botsin.space\/@xkcdbot\/111138571143431271\">botsin.space\/&#8230;<\/a><\/li>\n<\/ul>\n<h2>Legend<\/h2>\n<p>When the textual description of a link is part of the link it is the title of the page being linked to, when the text describing a link is not part of the link it is a description written by <a href=\"https:\/\/bartb.ie\/\">Bart<\/a>.<\/p>\n<table>\n<thead>\n<tr>\n<th align=\"center\">Emoji<\/th>\n<th align=\"left\">Meaning<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td align=\"center\"><\/td>\n<td align=\"left\">A link to <strong>audio content<\/strong>, probably a podcast.<\/td>\n<\/tr>\n<tr>\n<td align=\"center\">\u2757<\/td>\n<td align=\"left\">A <strong>call to action<\/strong>.<\/td>\n<\/tr>\n<tr>\n<td align=\"center\"><em>flag<\/em><\/td>\n<td align=\"left\">The story is particularly relevant to people living in a <strong>specific country<\/strong>, or, the organisation the story is about is affiliated with the government of a specific country.<\/td>\n<\/tr>\n<tr>\n<td align=\"center\"><\/td>\n<td align=\"left\">A link to <strong>graphical content<\/strong>, probably a chart, graph, or diagram.<\/td>\n<\/tr>\n<tr>\n<td align=\"center\"><\/td>\n<td align=\"left\">A story that has been <strong>over-hyped<\/strong> in the media, or, <em>&#8220;no need to light your hair on fire&#8221;<\/em><\/td>\n<\/tr>\n<tr>\n<td align=\"center\"><\/td>\n<td align=\"left\">A link to an article behind a <strong>paywall<\/strong>.<\/td>\n<\/tr>\n<tr>\n<td align=\"center\"><\/td>\n<td align=\"left\">A <strong>pinned<\/strong> story, i.e. one to keep an eye on that&#8217;s likely to develop into something significant in the future.<\/td>\n<\/tr>\n<tr>\n<td align=\"center\"><\/td>\n<td align=\"left\">A <strong><em>tip of the hat<\/em><\/strong> to thank a member of the community for bringing the story to our attention.<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n","protected":false},"excerpt":{"rendered":"<p>Feedback &amp; Followups Listener and community feedback, developments in recently covered stories, and developments in long-running stories we&#8217;re tracking over time. LastPass are finally forcing users to strengthen their master passwords \u2014 krebsonsecurity.com\/\u2026 (Note that this provides zero protection to what ever was in user&#8217;s vaults when the big breach happened last year!) Passkeys continue [&hellip;]<\/p>\n","protected":false},"author":4,"featured_media":28385,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[147,1],"tags":[],"class_list":["post-29482","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-blog-posts","category-podcasts"],"jetpack_featured_media_url":"https:\/\/www.podfeet.com\/blog\/wp-content\/uploads\/2023\/05\/Security-Bits-Logo_1040x520.png","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/posts\/29482","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/comments?post=29482"}],"version-history":[{"count":2,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/posts\/29482\/revisions"}],"predecessor-version":[{"id":29484,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/posts\/29482\/revisions\/29484"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/media\/28385"}],"wp:attachment":[{"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/media?parent=29482"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/categories?post=29482"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/tags?post=29482"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}