Operating system updates with security patches arrived for Apple devices this week and we have the rundown of fixes. Apple experiences a major outage of iCloud Private Relay. What does that mean, and who was affected? And the newest betas of Apple’s upcoming software are giving us the first look at Apple Intelligence.
If you like the Intego Mac Podcast, be sure to follow it on Apple Podcasts, Spotify, or Amazon.
Intego Mac Premium Bundle X9 is the ultimate protection and utility suite for your Mac. Download a free trial now at intego.com, and use this link for a special discount when you’re ready to buy.
Get Apple security news delivered straight to your inbox, for free. Intego’s twice-monthly newsletter will keep you informed about Apple-related privacy and security, along with tips and tricks for getting the most out of your Mac or iPhone. Subscribe for free—no strings attached.
Voice Over 0:00
This is the Intego Mac Podcast—the voice of Mac security—for Thursday, August 1 2024.
This week’s Intego Mac Podcast headlines include: operating system updates with security patches arrived for Apple devices this week and we have the rundown of fixes. Apple experiences a major outage of iCloud Private Relay. What does that mean? And who was affected? And the newest betas of Apple’s upcoming software are giving us the first look at Apple Intelligence. Now here are the hosts of the Intego Mac podcast. Veteran Mac journalist, Kirk McElhearn. And Intego’s Chief Security Analyst, Josh Long.
Kirk McElhearn 0:45
Good morning, Josh, how are you today?
Josh Long 0:47
I’m doing well. How are you, Kirk?
Kirk McElhearn 0:48
I’m doing just fine. This is the last day of July we’re recording on July 31. So we have a new month when this podcast comes out. So we’re gonna start by talking about a member of parliament in India who got an Apple mercenary spyware attack alert. And we mentioned this, I believe, last week or the week before in the podcast. And some months ago, when Apple sent out these first words to people who had been targeted by mercenary spyware, which is either Pegasus or a variant of Pegasus. And most of this doesn’t get publicized. I haven’t seen an article with a list of all these people who raised their hands and said, I got targeted because you generally don’t want to tell people, but a member of parliament in India is known to have been targeted by these attacks.
Josh Long 1:31
Right? I thought this was just worth mentioning, because we don’t always see details about who was targeted. But at least we know one person was a government official in the country of India, so So it’s definitely interesting to see that they’re targeting government officials. In some countries, it may include your country too, and maybe you just haven’t heard about it because it hasn’t made it into the news.
Kirk McElhearn 1:53
I don’t think anyone wants to admit to be honest, because that might even make them more of a target. If they say I’ve been targeted by this mercenary spyware, there might be a reason for other people to attempt to target that person. Maybe by sending phishing emails pretending to be from Apple talking about being targeted by mercenary spyware. You know, it could just be a never ending cycle like that. So there was a Safari outage last week, which was quite interesting because it didn’t affect everyone. It only affected people using iCloud Private Relay. And at the same time, there was a problem with Xcode cloud, we’re not sure that the two are related. But the iCloud Private Relay outage lasted several days.
Josh Long 2:31
Yeah, it’s funny that you mentioned it was the Safari outage because I think a lot of people felt like it was a Safari outage because they had iCloud Private Relay on and so they’re like, Wait, how come my browser’s not working? Well, that’s why if you happen to be using iCloud Private Relay, this outage I don’t know why it lasted as long as it did. That was the really surprising thing. Because normally when you have like a major service outage like this, it might be a few hours, you know, and this was ongoing, actually, for several days before Apple got it fully resolved. Apple actually has a service status page where you can go and find out details about any problems that might be currently going on with any of their services. And this was still affected for for some time I had people sending me DMS and asking me about this. And is this a problem? Like, is there a security issue? Like what’s happening?
Kirk McElhearn 3:24
This has nothing to do with CrowdStrike? Right?
Josh Long 3:27
No, no, not. As far as we know, Apple hasn’t really said what exactly was going on. So Apple claims that a few users were affected, which apparently means a lot of users were affected. That’s about all we know.
Kirk McElhearn 3:41
Speaking of CrowdStrike, we don’t want to talk too much about it. We had an episode last week where we looked into why there was this worldwide it outage CrowdStrike is apologizing to the companies that affected by sending them $10 Uber Eats gift cards.
Josh Long 3:56
Yeah, which is kind of a slap in the face. Because a lot of people who work for these like big IT firms that are using CrowdStrike live in, let’s say a more expensive place such as San Francisco Bay area, where you really can’t order from Uber Eats a single meal for a single person and get out of there for under $10. So this was kind of like, we’ll pay for part of one person’s lunch. And that oughta make up for the major problems that we caused for you. Not only that, but I think I also read that even when people were trying to redeem this Uber Eats thing, it wasn’t even working. So it was like, like just slapping you in the face both directions.
Kirk McElhearn 4:39
Okay, Monday, we got a whole slew of updates from Apple not that frequent for a Monday. It’s more often a Tuesday and it was Mac OS, iOS, Watch OS, TV OS, home OS vision OS every OS in the world and there was a release of new beta versions of the forthcoming Like operating systems, which we’ll talk about a little bit later, these security updates on Monday had a lot of security fixes didn’t do?
Josh Long 5:08
Well, it’s not too surprising considering that it had been 11 weeks since the last time that we got security updates for from Apple for our operating systems. Like, that’s a long time. It’s not uncommon for Apple to go say, a month in between updates. But 11 weeks is that’s that’s a very long time, especially when we already knew that there were some vulnerabilities that Apple still hadn’t patched yet. We’ll get back to that in a moment. But I think the big highlights here, there were about 69 named vulnerabilities vulnerabilities that had a CVE number assigned to them in Mac OS Sonoma 35, in iOS 17.6.
Kirk McElhearn 5:51
That’s a big difference between the two, usually, the number was much closer between the Mac and iOS vulnerabilities, isn’t it?
Josh Long 5:57
That’s a good point. Yeah, it is, is is kind of surprising to see so few for iOS. And maybe some of that just has to do with Mac OS specific components that were found to have vulnerabilities and this particular time around. But if you’ve got any operating system from Apple, you want to make sure to install those updates. As soon as possible. They came out on Monday. There’s also Watch OS, TV, OS and others, like you mentioned, just for reference, Mac OS, Sonoma, 14.6, patch 69, vulnerabilities, and macOS Ventura 13 point 6.8 patches, only 45 vulnerabilities. And it’s even fewer than that for Mac OS, Monterey 41 vulnerability, so you’re not getting the full range of security fixes. Now, that again, as we mentioned before, this is not to say that all of those vulnerabilities necessarily exist in the previous operating systems. But if we’re being real, most of them do. And so you’re definitely not getting everything patched.
Kirk McElhearn 6:59
I noticed something different when I updated my iPhone the other day. So usually, I update my iPhone, then I go into the Watch app, and I watched the software update from my Apple Watch. And the other day after I updated my iPhone, I got a notification on my Watch that the update couldn’t be applied because it wasn’t connected to a charger. So that means it automatically put the update into my Watch without me going into the Watch app and asking for this to happen. This is new.
Josh Long 7:28
That’s interesting. I’ve seen things like that before. The one thing that might be different is the speed at which your particular device gives you a prompt that, hey, there’s an operating system update available. I have seen something similar to that before on my Watch, where it’ll tell me hey, there’s an update available couldn’t be installed. I have seen similar alerts like that before, you do need to make sure generally that your iPhone is fully up to date on the latest operating system. And then after that your Watch can be updated to the latest operating system as well.
Kirk McElhearn 8:03
Okay, you teased a little bit earlier about Apple still leaving critical vulnerabilities unpatched and Mac OS Sonoma, and we have an article and this has been one of your rants, campaigns crusades, yeah, that you’ve been talking about. For years. Now, I think the fact that there’s some software kind of under the hood, in Mac OS, it’s open source software that’s maintained and updated by the people who are overseeing the software that Apple doesn’t add to the operating system. And in some cases, they’re using two year old versions of specific executables that you just don’t see there under the hood. But that apps may call and that even the operating system may use them.
Josh Long 8:40
Right. So there’s not a whole lot new here to say about this. There are some critical vulnerabilities like rated 9.8 out of 10 on the severity scale, that are still not patched. I even checked in the MacOS Sequoia beta, and the most recent beta that just came out this week also. And it’s using the same version from more than two years ago, which even that was a little surprising to me, because very often, what Apple will do is start prepping the newer versions of open source software that they will include in the next OS a little bit early as part of the beta process. So far, they haven’t patched that either. So the the one thing that they did patch this time around, was they released an update to curl, which as I mentioned before, this is a command line utility that can be used to download things from the internet using over HTTPS or other other protocols. This component was updated. Once again, just like 11 weeks ago, the very very similar thing happened it was updated to a newer version, and yet a still vulnerable version. They didn’t update to the latest version, which is fully patched they just updated to some version in between that’s still not fully pad.
Kirk McElhearn 9:52
Maybe they’re getting the versions on floppy disk.
Josh Long 9:56
Yeah by carrier pigeon.
Kirk McElhearn 9:59
No by mail The US Mail is notoriously slow, isn’t it?
Josh Long 10:02
Yeah, I don’t know, I don’t know what’s going on behind the scenes, I can’t get anyone from Apple to respond. I’ve tried multiple times, and Apple just ignores me. So unless it’s get this gets picked up by some big time reporter, or possibly government agencies get involved and start pointing fingers at Apple, I don’t know that Apple is actually going to make any changes on any of this. So it’s kind of unfortunate.
Kirk McElhearn 10:25
Okay, speaking of software, under the hood, there’s something called Homebrew that not many people use, but anyone who works with the command line may be familiar with Homebrew it allows you to install some of these Unix like executables on your Mac, without having to go to the process of compiling them. So you could download the source code, say, from GitHub, and build them yourself. And I don’t ever want to do that. So when there’s something I need to install, I just use Homebrew. So Homebrew was audited recently, you know, Homebrew is an installer, right. It’s not like a platform, it’s an installer that can download compiled executables. But there are some security risks and an audit pointed out some issues with Homebrew that are worth considering.
Josh Long 11:10
Yeah, homebrew is the self described missing package manager for Mac OS. So Linux operating systems typically have a package manager, which is kind of like an app store, you could say like, it’s a way to get apps and update apps and things like that. And so that’s basically what homebrew is. It’s a Mac command line, App Store, you could call it.
Kirk McElhearn 11:34
I like that Mac command line app store. That makes sense.
Josh Long 11:36
So for all your command line utilities and things, you can update to newer versions than what Apple is providing. Now, there is a caveat there, you’re not actually patching the operating system itself. So you still have all those vulnerable components in your operating system that are built in, if Apple hasn’t patched some of those open source components in hears or at least months, but you can at least get the newest versions and run them with your own custom scripts and software if you want to. So it’s nice to see that an audit has been completed of homebrew they said that they didn’t find any really severe issues, which is a good thing. And the issues that they did find or areas of interest findings of interest they call it are kind of technical for the most part. So we’ll put a link in the show notes. If you do use homebrew, it’s worth looking at this. And just considering your attack surface. If you happen to be using homebrew.
Kirk McElhearn 12:34
Most people shouldn’t worry about it. I know in my case, I’ve only used homebrew to download the occasional package that I can’t get any other way. And I don’t want to again don’t want the hassle of compiling. But there may be people who are using it for a lot more than than what I do and what you do so it’s worth checking out. All right, we’re going to take a break when we come back we’re going to talk about these new Apple betas, macOS Sequoia 15.1 and iOS and iPadOS 18.1
Voice Over 13:00
Protecting your online security and privacy has never been more important than it is today. Intego has been proudly protecting Mac users for over 25 years. And our latest Mac protection suite includes the tools you need to stay protected. Intego’s Mac Premium Bundle X9 includes Virus Barrier, the world’s best Mac anti-malware protection, Net Barrier, powerful inbound and outbound firewall security, Personal Backup to keep your important files safe from ransomware. And much more to help protect, secure and organize your Mac. Best of all, it’s compatible with macOS Sonoma, and the latest Apple Silicon Macs. Download the free trial of Mac Premium Bundle X9 from intego.com today. When you’re ready to buy, Intego Mac Podcast listeners can get a special discount by using the link in this episode’s show notes at podcast.intego.com. That’s podcast.intego.com and click on this episode to find the special discount link exclusively for Intego Mac Podcast listeners. Intego. World class protection and utility software for Mac users made by the Mac security experts.
Kirk McElhearn 14:15
So Apple released new betas now we’re waiting for Mac OS Sequoia 15.0, iOS 18.0 and iPadOS 18.0 and they really speed is four 15.1 18.1 Because none of these Apple intelligence features will be released with the dot zero operating system version. So when macOS Sequoia and iOS 18 iPadOS 18 come out they won’t have these features. But Apple clearly wants to start testing them and getting feedback on these Apple intelligent features as soon as possible. So if you are using the betas and we’ll put a link in the show notes to an article about using the betas, how you install them what the risks are, etc. You can opt in now to continue receiving the updates for the dot zero versions of the operating system or jump ahead to the dot one important to know Apple intelligence will only work if the region set on your device is the United States and if the language is set to US English. Now, if you’re not using that language in that region, you can still make the change on your device. Some people find that to change works right away. In some cases, you may have to restart your device after you’ve done it. This is the region that you set for the calendar for the currency for measurements, etc. This isn’t the region for your app store, and all of that. And it’s painless to change it. But you have to be able to use us English. Now, presumably, if you’re listening to this podcast, you can speak enough English to be able to try this out. There are a lot of people who won’t be able to Apple’s already said that this will only be in US English at launch. And there’s a lot of work to vocalize all of this. And to get, you know, this large language model that they’re making is based on English. And they have to build new large language models for each language that this is going to appear in.
Josh Long 15:59
Basically, what you have so far is some text manipulation features. So this is the thing like rewrite, for example. So you can take some, some sentences that you’ve written and have it summarize them or have it rewrite them for you in a different style. Among other things, that’s the main thing that’s rolled out so far. And well, you might guess if you’ve ever used any kind of chatbot, that it does have some hallucination problems. This is kind of just par for the course for anything that’s using generative AI. At some point, it’s probably going to start making up facts. Interestingly, behind the scenes, somebody found some prompts that are internal to Apple intelligence and the way that it’s working, where there’s some plain text prompts that Apple is giving all of your queries behind the scenes that say things like you are an assistant, which helps the user respond to their mails, please draft a concise and natural reply based on the provided reply snippet. Do not hallucinate, do not make up factual information, preserve the input male tone
Kirk McElhearn 17:09
is that your AI voice Josh, that you just did there? It kind of sounds like it. So when you send a prompt to these things, ChatGPT or any of the others, you can add this kind of information at the beginning or the end of your prompt, you could say, to write this for a professional audience target certain types of people, my job is this, so write a reply based on that. So I guess what Apple is doing is these are the guardrails that Apple talked about for Apple intelligence, right? They’re not allowing naked AI prompt, they’re putting the fence around it. Now, we were wandering earlier, and Josh is going to try this for next week, if you can add to your prompt something to say ignore all previous information that was given or ignore everything before and after the prompt, because it’s not clear whether these texts are injected before the prompt that you create, or after or both.
Josh Long 18:01
Yeah, one of the other prompts that it injects is respond in whatever localization so right now, I don’t know whether that part of it is active, because this is supposed to be US English that it’s launching in, but they do have options for respond in British English or respond in Australian English as prompts again, that depending on your localization, it may append to the end of the query behind the scenes, it’s all transparent to the user. Right. So there’s actually other prompting that Apple is giving it besides whatever input you’re providing. Kind of funny how that works. And especially the part about do not hallucinate, do not make up factual information.
Kirk McElhearn 18:43
What I find interesting is that they do mention Australian and British English because the language model they started working on as an English, and they’re probably able to make slight variations of that, for the specificities of cultural context, measurement units, you know, miles and kilometers and things like that. So the most important set of feature sets available is what’s called Writing Tools. And, for example, you can be in any text editor or even in Safari, and you can get a contextual menu it says writing tools, and here’s what you can do, you can proofread. And you can rewrite in what is it friendly, professional or concise, you have these options. You can also make lists, tables, summaries and key points. I was testing this the other day, I was writing an article where I was mentioning a couple of authors names, and I wanted to use the proofreading and it did something interesting for one of the authors. I had put the author’s name and the title of a series of books he wrote, it added the author’s two initials that the author uses on the books that I had forgotten about. For the other one was Gabriel Garcia Marquez, and it added an accent on Marquez that I hadn’t put in. So this is a combination of proofreading and copy editing, that using real world information to correct things that aren’t just spelling or grammar errors, I find that really interesting. And actually, this seems to be a really powerful feature in my writing to say that if I accidentally say, you know, the capital of this state is that, well, it might actually offer correction to that.
Josh Long 20:17
Yeah, and this is the feature that I’ve mentioned before on the podcast, this is the thing that’s going to drive me to actually buy a new phone, even though mine will only be two years old as of a couple of months from now.
Kirk McElhearn 20:27
Not only that, we’re trying to convince Josh to buy an M2 iPad, so we don’t have to wait until the iPhone comes out. But see, Josh can also run this on his M1 MacBook Air is an M1, or an M2 that you have, it’s an M1 M1 MacBook Air, it’s an M1. And but Josh only has 80 gigabytes of storage left, and he’s worried about what will happen if he sets up an apfs volume to install the beta. Now I’m gonna link to an article in the show notes how to install Apple beta software for MacOS, Sequoia, iOS, 18, et cetera. And on a Mac, you can create a new volume that changes size, right, you don’t have to fix the size for the volume. And you can install the new operating system and just go into the Startup Disk preferences and change the Startup Disk, it’s really easy to do. But Josh has to make some more room on his Mac there where he says he’s not comfortable having only a go at gigabytes. mine on my empty MacBook Airs about 34 gigabytes. And so if you’re going to need updates, you may need another five or 10. But there’s enough room Josh, you can start playing with this right now.
Josh Long 21:28
I do have this currently running in UTM. UTM is virtualization software that you can run and so that you can have it running in a window, I can have Mac with Sonoma be my primary operating system. And then in a window on my Mac, I’ve got mac OS Sequoia 15.1 Beta running right now, the one problem with that is, and this is the reason why I’m looking at okay, maybe I need to do the apfs volume thing, when I’m running the beta inside of a virtual container. Apple won’t allow me to sign into my Apple ID. This is kind of a weird quirk of the way that Apple operating systems work when you run them in a VM, or virtual machine. So because I can’t log into my Apple ID, it’s not allowing me to get the Apple intelligence features. Unfortunately, if I want to play around with it and experiment with seeing if I can bypass the guardrails and things like that, I guess I’m actually going to have to install macro Sequoia in an apfs volume.
Kirk McElhearn 22:29
Okay, so we have an article on the Intego Mac security blog called install Mac OS, Sequoia beta in a virtual machine on an M1 M2 or M2. Max with UTM. And as Josh was just saying, he’s done this, this will allow you to run the beta and get all the other features. And if you don’t care about Apple intelligence, you can do this. The Apple id thing, it’s interesting, Apple was announced a change to this starting with Mac OS Sequoia. So if your host machine is running Mac OS Sequoia, you will be able to create virtual machines in which you can log in with an Apple ID. But that will be after Mac OS Sequoia is released. So that’s going forward to next year for now, you can’t do that. It’s kind of important. If you are interested in going this process to install betas do read this article, because a couple of things have changed. One of them is that you have to download some Xcode software. If you’re using what’s called an IP SW restore image, you have to download a mobile software update. And you download this as part of Xcode. And also, as Josh discovered, when he was trying to install the Sequoia beta, he had a VPN running and for some reason it wouldn’t work. It would stall it about what 50% And then when you deactivated the VPN, it worked fine.
Josh Long 23:38
Yeah, it actually didn’t even get past 0%. So I was waiting for the that number to tick up and never did. So there must be something at the beginning of that process that where it has to reach a server and somehow my VPN that I happen to be using at the time was blocking that. So if you do run into that issue, I mentioned that in the updated version of the article. There’s a note about that. So just something to be aware of.
Kirk McElhearn 24:02
Okay, I don’t know how many people know who Tim Sweeney is. He’s the head of epic software, fortnight sued Apple caused all sorts of problems, etc. He made a really interesting tweet the other day, we’re going to link to Apple insider who quotes it. He’s talking about the Find My feature that we’ve talked about many times here that allows you to track people air tags and devices. Tim Sweeney, the CEO of a tech company, big tech company, says this feature is super creepy surveillance tech and shouldn’t exist. Years ago kid stole a Mac laptop out of my car. Years later, I was checking out find mine it showed a map with the house where the kid who stole my Mac live. WTF Apple, how is that? Okay? Now, I’m thinking that this guy is the head of a tech company. His Mac laptop got stolen and he didn’t go into find mine to erase it or to mark it as stolen because if the kid who stole it still shows up on a map, that means it’s charged and it’s being used. If you erase it, and you set it as stolen. Well, they can’t turn Aren’t they can’t use it, they can’t do anything. So this isn’t surveillance. This is just like a tech guy who doesn’t understand tech. That’s
Josh Long 25:07
kind of concerning for the CEO of a big tech company, right? Like the other thing that’s funny about this and pretty ironic is that he’s saying that Apple is super creepy with its surveillance tech. But isn’t it super creepy that he chose to spy on this kid that stole his laptop instead of just —
Kirk McElhearn 25:28
He’s not spying? No, no, but he’s saying that it’s spying. The problem is, the whole point of this is to find things you’ve lost or that have been stolen. Now, the Apple insider article does recommend that if someone steals your device, and you find them in the Find my app, don’t go confront them, you know, call the police because it’s a little bit dangerous. But the idea that his laptop was stolen, and he just ignored it. I mean, has fortnight’s source code been leaked anytime recently, because this is the kind of thing I mean, this is like showing that this person does not have a grasp of how technology works. Anyway, I don’t want to talk about Tim Sweeney anymore. We do want to end with one thing that is a really cool feature we were talking about before the show, and I’m tempted to buy one, The Verge has an article, this case turns your Apple Watch into a tiny iPod. And this is something called Tiny pod, you take your Apple Watch, removed the band and you put it in and it looks like a tiny iPod. Imagine that your Watch face is the iPod screen, you can get it with or without a scroll wheel, it’s $80 for the scroll wheel and 30 without the scroll wheel can turn the digital crown. So actually, without the scroll wheel, it’s not that useful. But what you can do with this is As The Verge says you can make a dumb phone because if you have a cell on your Apple Watch, you can make and receive phone calls messages, you can do some limited stuff, you can get email, it’s not easy to read a long email on the Apple Watch how often you’re going to use an Apple Watch to look at Instagram or Facebook, on the web or whatever. If you really want something with just limited features to make phone calls and messages, then this might be a good choice.
Josh Long 26:58
I feel like calling it a dumb phone is a little bit insulting the Apple Watch can do pretty much a lot of the things that you can do with at least early smartphones. Like I remember back in the day, I had a palm TREO actually, I had a couple of different models of it. And that was considered a smartphone back in the day and it had a pretty lousy browser on it. And a pretty small screen that is only a little bit bigger than an Apple Watch. So well, I’m exaggerating a bit but you know, okay, this is a cool concept. I like the idea of this. Kurt pointed out recently that, you know, some employees of companies are not allowed to wear a Watch at their workplace. And so this could be something that you might Watch, if you like the idea of the Apple Watch, you don’t really necessarily needed tracking your health by you know, being next to your wrist. But you still like the idea of the functionality of the Apple Watch. Then you might actually want to get something like this tiny pod case.
Kirk McElhearn 27:55
Well, you’ll need an Apple Watch cellular but again, if it’s not using any of the sensors to track your health to track workouts or anything like that, you don’t need a recent Apple Watching buy an Apple Watch se i think it’s cool. I’m really tempted. It’s not shipping for a while but I’ll let you know if I buy one. Until next week, Josh, stay secure.
Josh Long 28:13
All right, stay secure.
Voice Over 28:16
Thanks for listening to the Intego Mac podcast, the voice of Mac security with your host, Kirk McElhearn and Josh Long. To get every weekly episode, be sure to follow us on Apple Podcasts, or subscribe in your favorite podcast app. And, if you can, leave a rating, a like or review. Links to topics and information mentioned in the podcast can be found in the show notes for the episode at podcast.intego.com. The Intego website is also where to find details on the full line of Intego security and utility software. intego.com.
