Has Apple dropped the ball on providing a security patch for a popular macOS command line too? A user receives a counterfeit phone instead of an iPhone, but in a way that even Houdini might have had trouble making happen. And some tips on shopping for tech devices safely and securely during Black Friday sales.
If you like the Intego Mac Podcast, be sure to follow it on Apple Podcasts, Spotify, or Amazon.
Have a question? Ask us! Contact Intego via email if you have any questions you want to hear discussed on the podcast, or to provide feedback and ideas for upcoming podcast episodes.
Intego Mac Premium Bundle X9 is the ultimate protection and utility suite for your Mac. Download a free trial now at intego.com, and use this link for a special discount when you’re ready to buy.
Voice Over 0:00
This is the Intego Mac Podcast–the voice of Mac security–for Thursday, November 16 2023.
This week’s Intego Mac Podcast security headlines include: has Apple dropped the ball on providing a security patch for a popular macOS command line too? Was it a swindle? A user receives a counterfeit phone instead of an iPhone, but in a way that even Houdini might have had trouble making happen. And some tips on shopping for tech devices safely and securely during Black Friday sales. Now, here are the hosts of the Intego Mac podcast. Veteran Mac journalist, Kirk McElhearn. And Intego’s. Chief Security Analyst, Josh Long.
Kirk McElhearn 0:47
Good morning, Josh, how are you today?
Josh Long 0:49
I’m doing well. How are you, Kirk?
Kirk McElhearn 0:50
I’m doing just fine. Today in the second part of the podcast, we’re going to talk a bit about Black Friday, which comes up again as actually Black November because some of the places have started selling things on November 1 here. But we first want to talk about an article that you wrote on the Intego Mac security blog, pointing out that Apple is neglecting to patch multiple critical vulnerabilities in iOS, saying that Apple is neglecting to patch multiple critical vulnerabilities in macOS. That’s quite a bold accusation. Josh, do you have evidence of this?
Josh Long 1:24
I do. Certainly I, of course, I wouldn’t say that if I didn’t have evidence. You might remember a month ago back on the October 12 episode, which was number 313 we talked about how Apple was missing a patch for CURL. This is both a command line utility and also a library that can be embedded in other applications that basically used for accessing content from the web from within another app, or you can run it as a command line tool to download things from the web in the terminal. CURL had just released, that is the CURL Project maintainers had just released a patch. And we still to this day, a month later, more than a month later, we have the old version of CURL, still included with the latest version of macOS, which is kind of weird. It’s not just the previous version, it’s a very old version of CURL.
Kirk McElhearn 2:21
But you’re saying this is a critical vulnerability? Does Apple really does not check these command line utilities?
Josh Long 2:27
Well, it is sort of odd. So there’s a standards organization that puts together a score called a CVSS score. And they rate it and 9.8 out of 10. And they call it that a critical vulnerability. That’s about as bad as it gets. It’s extremely rare that you get a 9.9 or a 10 out of 10. So they’re saying this is really bad. Now, how likely is it that someone’s going to use this, you know, and exploit it on your Mac? Probably not very likely. But still, I mean, when you’ve got a high severity or critical severity vulnerability, you would expect that Apple is going to patch that pretty quickly. Okay, so this more than just curl, right? In writing this article, I ran the curl space, hyphen hyphen version command on the command line. And what one of the things that that will tell you, of course, is the version of curl that you’ve currently got installed on your Mac. But the other thing that will tell you is its dependencies. So if there are other libraries that it’s taking advantage of it will list those there as well. So one of those other dependencies is LibreSSL. It’s the technology that allows a secure connection to a website or or others. And so it turns out that LibreSSL, which is also part of macOS, is also very out of date. In fact, it was last updated nearly 20 months ago in March 2022. So it’s almost two years old, at this point, the version that’s included. So if we look more into that the National Vulnerability Database lists at least four vulnerabilities in this particular version of LibreSSL that’s still being included in the latest version of macOS, two of which, by the way, are 9.8 critical vulnerabilities. Apple makes no mention of those vulnerabilities by name anywhere on its site. And there’s other things that are outdated as well beyond that. So the takeaway from this is, Apple’s not doing such a great job of patching these open source components have, including the latest version of open source components with all the security patches that they include in its latest operating systems. And this has actually been a problem for a while. It doesn’t come up all that often. Because it’s really just, you know, geeks like me who are looking into this stuff and realizing oh my gosh, like this is really out of date.
Kirk McElhearn 4:52
Okay, we have a headline that needs some explaining “Nothing is bringing iMessage to its Android phone.” You need to know that there was a company called Nothing that makes a … is this a Nothing phone. (Yeah, it’s the Nothing phone.) Okay, I just want to own a Nothing phone. Anyway, they’ve come up with a convoluted way of letting Android users use iMessage. And it’s incredibly insecure.
Josh Long 5:15
So there are third party solutions for kind of getting iMessage to work on Android. And they’re all let’s say kludgy. And some of them I would say, are kind of sketchy. One solution that currently exists for being able to do this is software that you can run on your Mac, that will forward iMessages, from your Mac to your Android phone. But there’s also services that allow you to sign into your Apple ID on someone else’s server, meaning you’re handing over your username and password for Apple ID and giving it to someone else to keep active on their server, in order for them to forward your messages on to your Android device for you. Neither one of these solutions is supported by Apple, of course. And now what the Nothing phone is doing is specifically Nothing phone 2, this is the second version of this phone. It comes with the capability of allowing you to kind of sort of get AI messages to your Android phone as a built in feature. They’re calling this messaging platform Sunbird. And it’s kind of weird the way that they describe how this thing works. They say it’s literally signing in on some Mac mini in a server farm somewhere. And that Mac mini will then do all of the routing for you to make this happen. So it kind of sounds like that first solution we talked about where you run software on your own Mac, except that this is being run in a server farm. Like, what the sounds kind of crazy.
Kirk McElhearn 6:55
But this is run on someone’s computer who can therefore access your messages. Right?
Josh Long 7:01
That’s the thing is you’re intentionally making someone else the man in the middle for all of your iMessages just so that you can have your iMessages come in on your Android phone, that doesn’t seem like a great idea.
Kirk McElhearn 7:15
Okay, we have an interesting story, which is nostalgic. And it’s kind of weird that Apple just discontinued sales of the last macOS, install DVDs. In fact, it’s not correct. It’s macOS 10 installed DVDs of Lion and Mountain Lion, you remember when you used to be able to get macOS 10 on DVD. And when Mountain Lion came out, it was the first version of macOS 10, that was available on the Mac App Store. It cost $20, which we were thinking Ooh, compared to I don’t know, $100, or whatever it had been before. That was really cheap. And we were downloading it and we didn’t need the disk. And then Mavericks came out, and it was free. And I didn’t look up to see the presentation of Mavericks with the new Macs of that time. But a kind of remember Steve Jobs doing a thing. And in the background, it said the price was $0 or something. To be fair, when you were used to paying 100 or $129. For macOS 10 getting it free that was kind of like your Mac was worth $100 more, right what you paid for your Mac.
Josh Long 8:22
By the way, if you had been a public beta tester, it costs $30 to be part of that public beta. And so they gave you a $30 discount on the very first version of macOS 10. It was 130 bucks, and it wasn’t a yearly release cycle. (That’s right.) But eventually Apple got into that groove. And they brought the price down so $20 and then free starting with macOS 10 Mavericks, which by the way came out 10 years ago, the last time that it made sense to get a DVD copy of os 10 Mountain Lion would have been a little over 10 years ago before Mavericks came out if you needed to install the latest operating system on some older computer that you want even wanted to upgrade to mountain lion, then you would get the installation DVDs. Once Mavericks came out. 10 years ago, there hasn’t been much need for these DVDs. So I’m I was really surprised to hear that Apple was still selling any installation DVDs.
Kirk McElhearn 9:21
Okay, we noticed a story and it raised the question of something that we’ve never explained on the podcast, we’re going to link to MacRumors. And their story is Apple stop signing iOS 17.1, preventing downgrading, and every time there’s a new version of iOS, three or four Apple websites mentioned Apple stopped signing, preventing downgrading, but we thought that we’ve never explained what that means to stop signing. We talked about code signing that if Apple basically withdraws a certificate, an app can’t run, which is the same for an installer. But why would they do this to prevent downgrading from one version of an operating system to the previous version of the operating system?
Josh Long 9:59
I guess there’s kind of two reasons, but they’re both related reasons. The reason is essentially that older versions of iOS have vulnerabilities. And two more specific reasons might be that Apple is trying to prevent people from being able to downgrade for purposes of jailbreaking. If they had upgraded to the latest version of iOS and then realized, oh, shoot, I can’t jailbreak this version, Apple doesn’t really want people jailbreaking their phones anyway, because then they’re going to be, for example, able to download a third party app store, and then be able to bypass in app purchases and be able to get things from some other place besides the App Store. So Apple doesn’t really like it from that perspective. The other angle of if, for example, law enforcement, or some nefarious party gets a hold of your iPhone, and they want to break into it, they may not be able to do it if you’ve got the latest version of iOS, because it’s patched all the known vulnerabilities. So theoretically, if Apple didn’t stop signing previous versions of iOS, then it would be possible for someone to take your device and maybe downgrade it to an older version, a known vulnerable version of iOS so they could more easily break into it. Those are some reasons why Apple probably does this. And Kirk and I were kind of discussing before the show, like why doesn’t Apple do this for macOS? I feel like they’re, they’re very different operating systems from that particular perspective. And macOS is much more open always has been than iOS. You can run third party apps, you know, there’s no need to jailbreak a Mac. Apple has some pretty good reasons to prevent you from downgrading to an insecure version of iOS.
Kirk McElhearn 11:49
About a year ago, Apple introduced their Emergency SOS via satellite feature for the iPhone 14. And Apple today announced that they will provide this to existing iPhone 14 users for an additional free year. You might have forgotten that this feature was meant to be, well not free forever that they announced it was going to be free for a year, they didn’t say anything about how you would subscribe after that, who would subscribe? It’s kind of interesting, because in the Mac press, every time someone gets saved by the Emergency SOS, or crash detection, people write about it. And just this week, there is a journalist at Apple insider Daniel Aaron Dolger, who wrote an article saying that crash detection saved another wife mine, he was in a serious accident, and crash detection helped him. Now crash detection and Emergency SOS are two different things. undefD is Automatic Emergency SOS by a satellite is when you’re in the middle of nowhere. But these are features that are a very good selling point for the iPhone. And it’s kind of interesting that Apple’s decided to extend this feature for free makes me think that they’re never going to make anyone pay because who would think of paying for it right? If you have to pay 20 bucks a year, you’re gonna say it’s not worth it? Unless you’re someone who goes off the grid a lot.
Josh Long 13:08
Right? We when we talked about this when the iPhone 14 first came out, that was one of my questions. Am I going to have to pay for this then a year from now if I want to continue to have Emergency SOS via satellite? My thought is that probably this doesn’t cost Apple all that much to keep this service going. They’ve got to have it available anyway for new models for people who are just buying the latest iPhone, so it’s probably not really going to save Apple any money, it’s probably not costing them much. And also they haven’t been giving people alerts that hey, your phones a year old now you’re gonna have to buy Emergency SOS for another year. I guess Apple just decided that it makes the most sense, probably from a liability perspective, too. In case people miss that notification that they need to renew their Emergency SOS right. So from a liability perspective, it just makes sense to keep it going for everybody and maybe it’ll be permanent. Maybe it’s just another year we’ll have to see next year.
Kirk McElhearn 14:07
We’re gonna take a break and we’re gonna give you some tips for safe shopping on Black Friday and Black Friday weekend, Black Friday month and all the rest of that.
Voice Over 14:17
Protecting your online security and privacy has never been more important than it is today. Intego has been proudly protecting Mac users for over 25 years. And our latest Mac protection suite includes the tools you need to stay protected. Intego’s Mac Premium Bundle X 9 includes Virus Barrier, the world’s best Mac anti-malware protection, Net Barrier, powerful inbound and outbound firewall security, Personal Backup to keep your important files safe from ransomware. And much more to help protect, secure and organize your Mac. Best of all, it’s compatible with macOS Sonoma, and the latest Apple silicon Macs. And now, With Black Friday coming up, you’ll want to get the best deal of the year on Intego software. To get notified when our Black Friday sale starts, sign up for the Intego newsletter, at blog.intego.com/newsletter — that’s blog.intego.com/newsletter — to sign up to get notified as soon as Intego’s Black Friday sale begins. Intego: World class protection and utility software for Mac users made by the Mac security experts.
Kirk McElhearn 15:34
Okay, so Black Friday is here again, are you tired of Black Friday, Josh, I’m getting kind of tired. years ago, they used to be really good sales for Black Friday. Now, it’s just an excuse for companies to raise the price of things before Black Friday, so they can drop them 25% for Black Friday, and say that they’re on sale.
Josh Long 15:51
I feel like this is also gotten a little bit too complicated. Because it used to be that there was one day, maybe two days if you count Cyber Monday as well, that you could expect a sale to be going on. Or maybe it would just be from Friday to Monday. And then it kind of bled into Thanksgiving Day in the US, you know, so you had like Thursday through Monday to you know, with all these different retailers that kept getting earlier. And now you don’t really know when is going to be the best time to get the best deal, right? Should I buy a Black Friday month deal from somebody else? Or should I wait for someone else’s Black Friday sale to begin? It’s just it’s too complicated. I don’t like it.
Kirk McElhearn 16:34
So two years ago, I upgraded my TV. And what I did is I bought from a retailer in the UK who guaranteed that if there this TV was available at a lower price through the end of November, that they would refund the difference. And I bought this maybe 10 days before Black Friday. And I knew that I could trust them.
Josh Long 16:53
Right. That’s the way to do it. That’s how everybody should be doing their Black Friday sales. Everybody should be doing this, lock them in, get the sale from them. And then if they can prove that they there was a better price that they found somewhere else, then give them the discount retroactively.
Kirk McElhearn 17:09
Especially because most people don’t bother to check if there’s a better price and they’ll never get the discount anyway. So they make the sale with a promise. Anyway, we want to start with a story that’s not Black Friday related, but it might kind of be someone wrote a very long story on Reddit says I got a fake iPhone 15 Pro from Apple. We’re going to summarize this because there’s a lot of moving parts, he ordered an iPhone 15 Pro from Apple, it was delivered, he opened the box. And he got basically a copy android phone that kind of had a version of Android that was skinned to look like iOS. This is a really weird story. And this occurred in the UK. And so I can tell you from experience the way Apple manages these deliveries, they only use a couple of delivery companies. In this case it was DPD, which is my favorite delivery company because when you’re getting a delivery, you get a link and you can see where the driver is on a map. And you can see your delivery number 16 and 48. You’ll be delivered in 20 minutes, and you can spot and you know when they’re going to be there, so you don’t have to worry about missing it. The guy opened the box and got this fake iPhone. Now, if you’re listening to this podcast, you bought apple products and you know that the way they are sealed is with a very specific type of tape that once you take it off, you can’t replace it now. That’s the case for the iPhones box. But also the box had chips in and an iMac chips in a box with the same sort of tear off tape, an Apple watch or an Apple Watch, watch ban. Everything has that tape. It’s not clear where this got switched. We’re trusting that the guy is telling the truth right that he’s not making this up. But you never know. The only possibility literally the only possibility is this got switched in the factory, or just after the factory where the iPhone was assembled. Because now the person didn’t say that it had the right Tear Tape, right the poll tape, but I’m assuming it did the box looked legitimate. It’s not possible that some delivery driver managed to open the box and replace it with the exact same model, fake iPhone so the iPhone 15 Pro, Max, Titanium whatever color right the color. It’s not possible that the delivery driver did that because Apple is pretty strict about controlling that. It’s not possible that this occurred in a container on a ship or in a an airplane flying from China. The only real possibility was that someone in the factory switched a bunch of iPhones for Android phones, the Android phones cost, I don’t know 1500 bucks, whatever the equivalent is, and the iPhones were worth 1000 And they could sell them on the black market.
Josh Long 19:47
I think there’s a couple of interesting ways to look at this. So from the attackers perspective, what did they get out of this? The most obvious one probably is that they got a real iPhone that they can turn around itself theoretically, in exchange for giving away a very cheap knockoff Android device, right. The other thing that potentially a bad guy could get out of this is, of course, if they’re giving you an Android phone, it could very well have malware on it, it could be phoning home to a server that’s controlled by the person who slipped to this in the box, right? So when it prompts you for, let’s say, an Apple ID, it could be getting your username and password, it could be logging your keystrokes. So maybe you go to a website to make a purchase. And you type in your credit card number, anything that you input into that device could be taken and harvested by an attacker.
Kirk McElhearn 20:46
Okay, so Black Friday, first tip, I think just make sure that the packaging is sealed with that pull off strip, if you ever get an Apple device delivered to you, and it’s covered with tape, refused delivery and call Apple right away, because that’s very suspicious. Black Friday, and Josh likes to do this every year. And I’m gonna let Josh talk about don’t buy old devices because they can’t get security updates. And if you buy an iPhone 6, or an iPhone 7, now it’s going to be really cheap. And you’re going to be in danger once you fire that phone up.
Josh Long 21:18
If for example, you’re buying a router this year, you want to make sure that you’re getting something that has Wi Fi 6E. So new Apple devices are starting to come with Wi Fi 6E. And why is it so bad? If you get something that’s just Wi Fi six the previous standard? Well, the reason is that those are going to be older devices, which means that not only do they support an older standard and not the latest one, but that also means that they came out longer ago, which means that you probably have less time remaining, that the company is still going to be releasing security updates firmware updates for that router. When I went on Amazon just now and I searched for routers, what do I get in the results. The first is a sponsored result for a Linksys Wi Fi five router, what and then so that’s ac 1200. So it’s 802 dot 11. AC is the standard. And that’s really old. That’s the first result. And then I get another sponsored result for a Linksys WiFi six router. And it I have to keep scrolling and scrolling forever until I finally get to Wi Fi 6E routers. This is problematic. You don’t want to buy something that’s an outdated device. When it comes to routers, when it comes to computers, some smartphones, tablets, any of these things, make sure you’re getting something that’s current.
Kirk McElhearn 22:48
I’m going to slightly disagree with Josh 6E is the most recent but also the most expensive Wi Fi router, I think there’s a Wi Fi seven coming out soon. Wi Fi six is already pretty fast and isn’t that old. But anything that’s Wi Fi 5 or older, or 802. 11. b g n one of those things that is you know, really old, you should avoid. Josh, let’s talk about routers because people never buy them. I think it’s more important to talk about, say old iPhones or old Android phones that are no longer supported with security updates. We’ll link to an article on the Intego Mac Security blog about when an iPhone is not safe to buy. So at which point is an iPhone too old to get security updates. As Josh also likes to point out, the Apple watch three was sold, even after it was no longer supported by the latest version of WatchOS. So you really need to be careful about that. You basically need to do your research. It’s not just a question of paying less for a device. It’s a question of knowing how long it’s going to last. In the Android Market brands are starting to say how many years of security updates devices will get. So you’ll be able to buy a phone it says it’s going to get four or five or six years of security updates. Google’s latest phones get up to seven years of updates. Now, Apple doesn’t do that yet. But I think Apple is going to have to start saying how many years of updates it gets. So if you want to buy an older Google phone, right Google Pixel five, it’s a few years old, you might want to check on the Google website to make sure it’s going to get updates for more than a couple of years. Because if you buy it now, and it doesn’t get many updates after a year, you’re going to have this phone that was cheap, but it’s going to be unsafe to use.
Josh Long 24:26
Exactly right. So it’s important to be aware there’s kind of a sliding scale, in my opinion, if the price is right. And let’s say you only really need to use the device for the next year or two. If you can get that price just right where it kind of makes sense. If it’s cheap enough that you can get away with using that for a year or two and it’s not going to be a big deal to replace it after that point. Maybe maybe that makes sense. You should only pay full price for a device. If it’s a recent device. The one exception to that right now would be The iPads because Apple did not release any new iPad models this entire year. And so we can expect that Apple’s probably going to release new iPads sometime within the next several months. But if you really need an iPad right now you’re going to have to get a 2022 model.
Kirk McElhearn 25:18
It’s not clear if Apple is going to do a Black Friday sale they sometimes do but when they do, it’s generally what they give a gift card for the Apple store. I benefited from this was it last year when I bought the Beats Solo three headphones and I got a 50 pound gift card from Apple. That was the offer that they had, you won’t see the new Macs. Getting Black Friday deals though. Apparently Amazon in the US is discounting the not the entry level M three iMac but the next one up, which sells for 1499 is $200 off. But Apple just doesn’t do it. They don’t need to do Black Friday sales. We’re going to link to an article in the show notes called eight essential tips to stay safe shopping online on Cyber Monday and cyber week. And this is for Cyber Monday. And this is from Black Friday. And we won’t go into detail about the tips but shop on familiar websites check for fake reviews. So we like Fakespot and Fakespot was bought by Mozilla the company that makes Firefox they have a new chatbot using Mozilla’s first LLM, which has a large language model ChatGPT has a large language model. And it lets online shoppers research products via an AI Chatbot. The problem is that we’re going to link to an article in TechCrunch. And the example that Mozilla gives is someone’s looking at a chair, how is the lumbar support and the Chatbot requires the chair provides great lumbar support with a soft mesh back. And it just basically sounds like it’s regurgitating the product description. Of course, this could help you if you’ve got a very long product description and you want the chatbot to give you some details. Fakespot will tell you if the reviews on Amazon and certain other websites look fake, they have a way of analyzing when they’re probably using AI to do better analysis now. So I always use Fakespot when I’m buying something basic for the kitchen. And there’s 500 Chinese brands and this one’s the cheapest. And I’ll use fake spot to see if the reviews are good. But these days, there are so many fake reviews that it’s really hard to get through them. So go through the eight essential tips. They include things like using strong unique passwords when you set up accounts on websites, making sure that you’re on a secure website that’s using encryption the little padlock in the address bar. And don’t forget to use robust protection software like Intego’s Mac premium bundle X nine to make sure that you are safe from malware and any other malicious downloads from shopping sites that you visit. Is that a Josh? Do you have like one really key Black Friday tip to share?
Josh Long 27:55
One more tip that’s not cybersecurity related or privacy, whatever. But if you just want to save a little bit of money, there’s one site and one app that we’ve recommended in the past the website is camelcamelcamel.com. And the app is called Price Pulse. And that’s available in the App Store. Both of those will help you track when something is actually on sale, versus whether they just claim that it’s on sale so you can see the normal pricing for it versus what it’s currently priced at and decide for yourself whether it’s actually a good deal or not.
Kirk McElhearn 28:27
Okay, that’s enough for this week, Josh don’t spend too much money until next week, stay secure.
Josh Long 28:31
All right, stay secure.
Voice Over 28:35
Thanks for listening to the Intego Mac podcast, the voice of Mac security with your host, Kirk McElhearn, and Josh Long. To get every weekly episode, be sure to follow us on Apple podcasts, or subscribe in your favorite podcast app. And, if you can, leave a rating, a like or review. Links to topics and information mentioned in the podcast can be found in the show notes for the episode at podcast.intego.com. The Intego website is also where to find details on the full line of Intego security and utility software. intego.com. And don’t forget, sign up for the Intego newsletter to get notified as soon as Intego’s Black Friday sale begins. Just go to blog.intego.com/newsletter, that’s blog.intego.com/newsletter to get an email alert the moment our holiday sale is underway.