Apple has updated all its operating systems again, the company introduced new M3 chips and upgraded MacBook Pros and iMacs, and we discuss how Apple’s product line is not to big, not too small, just about right.
If you like the Intego Mac Podcast, be sure to follow it on Apple Podcasts, Spotify, or Amazon.
Have a question? Ask us! Contact Intego via email if you have any questions you want to hear discussed on the podcast, or to provide feedback and ideas for upcoming podcast episodes.
Voice Over 0:00
This is the Intego Mac podcast. Oh boy so Mac security for Thursday, November 2 2023.
This week’s Intego Mac podcast security headlines include a look at the security patches released in Apple’s latest round of operating system updates. Apple’s scary fast event was short and sweet and featured new hardware with faster processors. iLeakage is a new Safari exploit that could attack the Mac processors speculative execution capabilities. We explain the exploit and how it works. And we have some observations on the size of Apple’s product lines. Not too big, but not too small when compared to other tech companies lines. Now, here are the hosts of the Intego Mac podcast, veteran Mac journalist, Kirk McElhearn, and Intego’s. Chief Security Analyst, Josh Long.
Kirk McElhearn 0:57
Good morning, Josh, how are you today?
Josh Long 0:59
I’m doing well. How are you, Kirk?
Kirk McElhearn 1:01
I’m doing just fine. It’s a new month we’re recording this on November 1, we should welcome each month there’s only 12 in the year. We’re going to talk in a minute about Apple’s event early this week, which was unusual in several ways. But first, we want to talk about all of the security updates in Apple’s last updates. Now they released these updates was it last Wednesday, just after we recorded our podcast as they tend to do often now.
Josh Long 1:25
Right. While we were recording, they started rolling out some of these updates. They weren’t all out yet. Also, they did not give us the security details. Usually that kind of happens within couple of hours when the updates start rolling out. Then Apple will put the details of what was patched in their release notes on their website, we finally got all of those details. And now we can share with you what exactly was updated last week.
Kirk McElhearn 1:52
And there were dozens of vulnerabilities fixed. Is this one of the biggest security updates that Apple’s had in a long time?
Josh Long 1:59
Well, typically when you get a point oh release of an operating system, you get a lot of things patched in those versions. But there was quite a bit for being a point one release for macOS Sonoma, and also for iOS 17.1. Sonoma, in particular had 44 named CVE numbers. CVE is Common Vulnerabilities and Exposures. So these are unique numbers that are given to particular vulnerabilities to be able to identify them across multiple products that may have that same vulnerability. Apple patched 44 CVEs in macOS Sonoma 14.1. There’s also typically a list at the bottom of that patch release notes that lists a bunch of other things like other credited researchers also reported things related to these and we want to give them credit without giving them a CVE number. So there were more than 44, but at least there’s 44 that had a specific number assigned to them.
Kirk McElhearn 3:00
In addition, they released some updates for macOS Ventura and macOS Monterey.
Josh Long 3:05
That’s right, not quite as many, because they don’t patch everything for the previous operating systems. macOS Ventura—out of those 44, there were really only 15 vulnerabilities that they listed that were addressed. macOS Monterey, there were 11 numbered CVE is that they listed so you’re definitely not getting everything patched. People often ask when Apple’s releasing fewer patches for the older operating systems is that just because they introduced a bunch of new vulnerabilities and the point oh, release, and so they’re going and patching all those things? Well, no, it’s not nearly that many things that are being introduced that are super vulnerable, or new features that happened to be vulnerable. In this case, it’s pretty clear that some of these vulnerabilities exist on the older operating systems but just aren’t getting patched because of whatever reason Apple might have for not patching everything on older OSs.
Kirk McElhearn 4:03
And there were also updates to iOS and iPadOS, but not only to iOS 17, but also 16 and 15. So this is one of the rare, what will be called campaigns where Apple has not only patched the current operating system, but also the previous two operating systems.
Josh Long 4:19
What’s kind of interesting to me about this is that 17 discontinued support for certain hardware, so there’s some iPhones and iPads that cannot run iOS 17. It was the same thing with iOS 16 and iPadOS 16. And also with iOS and iPadOS 15. Each one of these new versions when they’ve come out, they’ve dropped certain hardware. And so maybe Apple is going to continue these three for a period of time possibly. Apple never really says, right. We have no idea how long 16 or 15 are going to continue to get patches, but at least they did this time around. Not as many of course we’ve got an iOS 17.1, we got 21 CVE is 16 got 17 CVE. And 15 just got one vulnerability patch, and it was a vulnerability that they had previously listed as having been patched in iOS 15.7.7. So like they rerelease for this patch. I don’t know if that means that the other patch didn’t like fully fix everything. Or if they like forgot that they mentioned that they already patched this thing. And they’re like, let’s rerelease that patch? It doesn’t make sense, right? This is the one vulnerability they list. So the only thing that makes sense to me is that maybe they didn’t fully patch it or something didn’t quite work the way they expected it to. And so they rerelease that patch.
Kirk McElhearn 5:48
Okay, so let’s talk about Apple’s Scary Fast event. A lot of things out of the ordinary. First of all, it was held at 5pm, California time. Thank you, Apple, I had to stay up until after midnight to watch this. Usually, it’s 10am, which is 6pm. over here in the UK. I know all of my European colleagues were angry about this. But then if you were in China, you could watch it at a normal time. It was the shortest Apple event, I think in history at just about 30 minutes. Now, if you remember, back before that disease came into our world in 2020, all these Apple events were live on a stage with audience and lots of people to cheer. And they went to these pre recorded Apple events, which I think is much better. The fact that they’re pre recorded means they’re a lot tighter, they feel more. I don’t want to say professional, because they’re all really good at presenting live on stage. But they feel more, they’re better paced, they go by a lot more quickly.
Josh Long 6:42
They’re very well polished. And also there’s no risk of any failures in any live demos.
Kirk McElhearn 6:48
That’s right, yes. Although there weren’t any live demos this time, because all they presented were the new M3 family of chips, and this time, so when the M1 came out, we saw the M1. And then later we saw the M1 Pro and the M1 Max and then waited the M1 Ultra similar with the M2. Now we have the first three M3 chips, M3, M3 pro and M3 max. And presumably there’ll be an M3, Ultra Pro max at some point in the future. But all it did was present these chips in a mind numbing presentation talking about trillions of transistors and nanometers and stuff like that. I wish you could fast forward that. And they presented new MacBook Pros. Then they went on to present a new iMac. So all we got was a couple of new Macs. And it took a half hour.
Josh Long 7:31
Yeah, this was disappointment for a lot of people. There was a lot of speculation about what exactly is going on with this five o’clock time. As you mentioned, it’s not convenient for anyone in Europe. But there was all these things people were speculating. Maybe it’s to appease China, maybe it’s because there’s some partnership with a Japanese company that rumors started to go around on social media. Maybe it’s a gaming company that they’re partnering with. That would be really cool. Like, what if Apple is getting some like exclusive new game or day one launch of some big title that’s coming on other platforms too. It was none of those things. It also wasn’t a Japanese car manufacturer that was partnering with Apple.
Kirk McElhearn 8:13
Or a Chinese car manufacturer.
Josh Long 8:15
So what was it it was just so that they could have Tim Cook say, “good evening”.
Kirk McElhearn 8:21
And it was filmed at night. So it was much darker in the film than it was at 5pm in California. So it was very clear it was a Halloween themed thing. My guess is they always do these on Tuesdays. And because of Halloween, they didn’t want to do it on a Tuesday. So they did it Monday and someone said, hey, what if we do it late at night and make it scary. And of course, the dark theme of the whole presentation comes across with the space black MacBook Pro that they released which is darker than Space Gray.
Josh Long 8:51
I think, by the way, you can only get space black. If you’re buying a model that starts at 1999 or higher price than that if you want to get the entry level just the M3 not pro, not max, then you can get space gray or silver. Those are your color options. And if you get a MacBook Pro with the M3 Pro or M3 Max, then you can get them in space black or silver.
Kirk McElhearn 9:19
I need to look back at the many different hues of Space Gray over the years with Apple laptops. I have an M2 MacBook Air which is Space Gray, which is very dark, much darker than the space gray of say, the 12 inch MacBook which came in silver and space gray. So that just changing the terminology because people a lot of people wanted a black MacBook. I think there was one plastic MacBook Pro back in the day that was black and since then it’s always been space gray or whatever anyway, it’s really not that important. Although I see people on social media. Oh, there you go. You gave me a space black laptop. Now I got to sell my laptop and buy a new one. Here’s the thing they even presented this showing the difference between the M1, the M2, and the M3. And there was generally like a 15% increase from M1 to M2 15%, from M2 to M3. Out of the 30 minutes, they spent about six or seven minutes showing people doing pro activities. And these could be music composition, video editing, scientific research and all that. You don’t need an M3 Pro or an M3 Max, unless you’re doing pro activities. For most of what you do, honestly, you don’t even need an M3 and M2. Even an M1 would be just fine. You know, I swore that when I got my M1 iMac, I was going to keep it for five years, and we’re more than two years in, and I still see no reason to upgrade to today’s M3 iMac, which let’s be fair, if you don’t have an Apple silicone iMac, it’s a great upgrade to go for the M3. But if you have an M one, it makes no sense to upgrade to the M3. And unless you’re doing processor intensive stuff, all the rest of the things you do will be more or less the same with the M1, the M2 the M3, not to say that this isn’t a huge leap over Intel Macs, which Apple did mention during the presentation, because presumably there were still a lot of people running Intel Macs who haven’t yet upgraded,
Josh Long 11:13
I did notice that there seemed to be a lot of emphasis on, you know, look how much better M3 is then M1, which you might still be on if you had one of the older iMacs or other older models, right or how much better this is, then in anything that you can get with Intel, whether it’s a Mac or not, the M3 is so superior to everything that Intel has ever put out. In terms of speed and efficiency. That was a really big point that Apple was trying to drive home. And I think a big part of that was if you haven’t upgraded your Mac in a while you need to get the new Macs because we’ve got the best stuff that we’ve ever put out. And of course they do. But I mean, you know.
Kirk McElhearn 11:57
It’s the fastest Mac’s ever and they say that every time it’s worth pointing out that there are some things that have changed. The GPUs have more cores, the iMac can go up to 24 gigabytes of unified memory, certain Mac Pro models, so this would be the M3 Macs gonna go up to 128. So that’s, you know, huge if you do need it for pro activities, but you probably don’t need it for pro activities, you’re probably not sequencing your genome at home or anything like that. I do want to mention something that has been talked about a bit on social media. Apple at the end of the presentation, there was a little mention in the credits that this was shot on an iPhone 15 Pro. Now I’m going to link to a press release on Apple’s newsroom site, which shows how it was shot. This wasn’t some guy walking around with an iPhone 15 Pro. This was with this massive gimbal and these huge lights and a dolly. It’s like imagine a normal cinema production with an iPhone instead of a cinema camera. It was all the rest of the stuff and they have a video and they have still photos showing this. It’s not like you can just do this with an iPhone and do this at home and get the same quality.
Josh Long 13:06
However, I would argue that it’s still really impressive that they shot this whole thing on the iPhone 15 Pro, right? Yes, they had other equipment as well. But it was still shot on an iPhone like it was a really amazing well done event. Like everything that they did. By the way they had this nice like fly through of the Apple campus. They actually mounted an iPhone on a drone that they flew through the campus. By the way during that fly through. You might have noticed a pirate flag on the Apple campus. There’s some significance to that. This was the same flag that Steve Jobs used to sort of rally the troops when they were developing the original Macintosh in 1983. will link to an article that Christina Warren wrote for Mashable back in 2016 when Apple flew this flag on their campus in commemoration of Apple’s 40th anniversary. So this apple pirate flag made a reappearance a nice little easter egg.
Kirk McElhearn 14:07
Yes, as Steve Jobs said it’s better to be a pirate than join the Navy. I would say that Apple is the exact opposite of a pirate. They are the most valuable company in the world. They are the Navy. Okay, let’s take a break. When we come back, we’re gonna talk about some interesting security news.
Voice Over 14:23
Protecting your online security and privacy has never been more important than it is today. Intego has been proudly protecting Mac users for over 25 years. And our latest Mac protection suite includes the tools you need to stay protected. Intego’s Mac Premium Bundle X 9 includes Virus Barrier, the world’s best Mac anti-malware protection, Net Barrier, powerful inbound and outbound firewall security, Personal Backup to keep your important files safe from ransomware. And much more to help protect, secure and organize your Mac. Best of all, it’s compatible with macOS Sonoma, and the latest Apple silicon Macs. Download the free trial of Mac Premium Bundle X 9 from intego.com today. When you’re ready to buy, Intego Mac Podcast listeners can get a special discount by using the link in this episode’s show notes at podcast.intego.com. That’s podcast.intego.com and click on this episode to find the Special Discount Link exclusively for Intego Mac Podcast listeners. Intego. World class protection and utility software for Mac users made by the Mac security experts.
Kirk McElhearn 15:39
So I made a list a couple weeks ago before the current Apple Event and I haven’t updated it and I’m sorry, but I was looking at how many products Apple sells how many different computing products and I’m ignoring the HomePod. I’ve left that out. They have six different Mac’s with a total of eight if you count different sizes, right laptops come in two sizes, they have four iPads with a total of six sizes, they have five iPhones with a total of eight sizes. Remember, iPhone 1515 Pro and when you go back, there’s a couple of different models. They have five different Apple Watches when you think about it, and they have for air pods and for TV and home products. And it seems to me that for such a big company, this isn’t a lot of products. And I remember years ago, people were comparing the Apple product line to Sony, for instance. And Sony has 8 million different things in every product family. And Apple is still maintaining a very, very tight product line. Which can seem like a lot if you click on I don’t know the Mac link on the Apple website and you see all the different types. You got the MacBook Air, the MacBook Pro, the iMac, the Mac mini, the Mac Studio, and the Mac Pro, so six different Macs, but it’s really not that much. And every time they update something, they’re not coming like Samsung with their phones that have 17 different phones, you know, that are very similar with slightly different model numbers. And they’ve still managed to keep whatever cool restrained product line that can fit in the Apple Stores, many of which are not very big.
Josh Long 17:15
This reminds me of a conversation last week that we were having about how Steve Jobs was all about simplifying the product lines. When he came back to Apple, he got rid of a lot of things and just simplified like why why do we need anything beyond just like the consumer desktop and pro desktop and the consumer laptop and pro laptop? Like do we really need like six products. For example, most people do not need a Mac Pro. You don’t really need a big giant box with space inside of it. For most people, the Mac Studio is perfect.
Kirk McElhearn 17:46
And the Mac Pro only has an M2 Ultra it doesn’t have an M3, right?
Josh Long 17:50
Well, the Mac Pro oh my gosh that we didn’t even talk about that! The Mac Pro doesn’t have an M3 processor. Now you can get a better processor in your iMac or MacBook Pro then you can get in your Mac Pro What the heck, like and obviously, you know, I’m exaggerating a little bit. Yeah, Apple’s gonna be adding those new newer processors into the Mac Pro and Mac Studio before too long and Mac mini, I’m sure. But for now there’s this weird sort of situation where you can get em three Macs in a MacBook Pro, which is a portable computer. But you can’t get em three Macs in these powerful pro desktops that Apple sells. Like that seems kind of crazy.
Kirk McElhearn 18:34
Yeah, when I look at the Apple Watch line, it’s really interesting because they have five different models, but there’s really only three. So the Apple Watch Series 9, the Apple Watch Ultra 2 and the Apple Watch SE the other two models of the Apple Watch Nike, which is just basically the same watch with a Nike band and an additional face, or the Apple Watch, I’ll miss which is like the Nike different band and a different face. But they’re all the Apple Watch Series Nine, there’s really only three of them. And it even looks like more than there is for something like that. And when you look at the iPhone, you’ve got this year’s model last year’s model the year before, actually for iPhone families SE, 13, 14, 15 Seems like a lot. But it’s really not when you look at some of the other consumer product lines, particularly in mobile phones and tablets and all that. Look at Amazon how many Fire tablets and devices they sell on Alexa devices. Anyway, it’s just reassuring that Apple is not overdoing with too many products and sometimes we look at this and think what can be hard to choose. But fortunately, it’s not that hard to choose. So we have a serious security issue. You wrote an article about this on the anticlimax security blog. It is called iLeakage. I like that I like iLeakage. Tell us about iLeakage.
Josh Long 19:46
You remember Specter and Meltdown? Do those ring a bell?
Kirk McElhearn 19:50
Sure these were things that were a processor vulnerabilities that couldn’t be fixed. Well, they think it’d be mitigated with software that slowed down the process or am I right?
Josh Long 19:59
Yeah, pretty much bunch that sums it up, I would say this whole thing, this class of attack is called a speculative execution attack. Speculative execution is a processor feature. And it’s most famously on Intel processors, but they do the same thing with ARM based processors like the M series chips that Apple produces speculative execution, basically, to simplify what it means, with any given task, there might be a couple of possible outcomes. And so it does both at the same time, because it doesn’t know which one you’re going to pick. But if it does both in advance, then it can be ready to go. As soon as that decision is made. And then one of those things will just get dropped and discarded. That’s the whole idea. And then it’s already done the thing that you do want to do.
Kirk McElhearn 20:48
So let me give you an example of that without looking at a processor. If you look in Safari settings, and you click the Search tab, you have an option to preload the Top hit in the background when you’re searching something. So if you do a Google search, or Bing search, or whatever, Safari will automatically preload that to make it quicker because most people click on the first link. And that’s kind of a speculative execution thing to make the process quicker. But it doesn’t cost anything, it doesn’t use up too much processor, because it’s waiting for you to read, right? It’s kind of like that, but but at a processor, it’s at a micro level, it’s happening all the time with every little transistor that flashes.
Josh Long 21:25
Right. And then the problem is that sometimes that path that’s supposed to be discarded, bad things can happen over on that side of things. And this is a new variation, you could call it of Spectre. And this is being called iLeakage. And this particular exploit only works against Safari, a team of researchers representing various universities got together and they developed this particular exploit. It’s specifically designed to work against Safari on Macs. And they do say that iPhones and iPads with a series processors are also vulnerable. So this is something that could theoretically be used against iPhones as well. So what can somebody do if they were to exploit this particular vulnerability, they could potentially recover passwords that were auto filled with your password manager, they could potentially view the contents of webpages. So an attacker could see a victim’s private Gmail messages, for example, we’re seeing what their YouTube watch history was, or any number of other things. So has this been used in the wild? Well, the researchers say they’re not aware of any real world attacks. But then again, how would these researchers know there’s no system logs? There’s no real obvious indicators if something like this has been used against you. So basically, the researchers just gave this information to Apple and said, Hey, this is a problem, you need to fix it. And did Apple fix it? Well, not exactly.
Kirk McElhearn 23:04
You mean, there wasn’t a fix for this in the recent security updates?
Josh Long 23:07
Well, no, not exactly. So what happened was way back in macOS Ventura, 13.0. So a year ago, Apple released a sort of a patch for this, but it’s not on by default, which is kind of a little bit concerning, like, you would think that they would just want to fix this across the board. But what Apple decided to do instead was to implement an optional feature, that if you run a command in the Terminal, and enable a debug menu, then you can select a particular menu item in Safari to disable this flaw. And that’s way overly complicated, like why make people go through all this trouble to fix a vulnerability.
Kirk McElhearn 23:55
So basically, they’re saying that if you’re savvy enough to know how to use the command line, you can get protected against this, but if not—too bad,
Josh Long 24:03
Kind of. The other thing that you could do, of course, is you could enable Lockdown Mode that does actually mitigate this particular attack. The other thing you could do is just avoid using Safari altogether, you know, if you want to use Firefox, or Chrome or any other Chromium based browser, those are not vulnerable to this particular attack. So I don’t think that’s what Apple would like you to do to just stop using Safari. But if you’re concerned, I would say if you’re a Safari user, and you’re concerned that somebody might use this particular attack against you, it’s not terribly likely, but you could go ahead and follow the steps that we’ve listed in the blog article to disable this particular feature. And then you’re protected from this particular exploit.
Kirk McElhearn 24:48
But will this slow down your back if you enable this feature?
Josh Long 24:52
No. Okay. So this is not one of those things where a lot of these speculative execution mitigations See, if they’re done at a certain level, you know, it’s system wide, it’s like it’s it could potentially slow down your computer, especially on some of the early, especially some of the early spectrum meltdown mitigations, back in 2018, when these things first came out, and everyone was really, really concerned about these things. Now, this particular thing, because this is an exploit against safari in particular, you’re not going to notice any difference at all. If you tweak this one setting in Safari, there’s not going to be any discernible difference in the speed. So it will not slow down your Mac, if you enable this mitigation.
Kirk McElhearn 25:42
Okay, we talk a lot about data breaches, and particularly the kind of breaches which involve combinations of usernames and passwords. And this is only a problem of course, if you reuse your password, and so apparently, a lot of people well, this thing 25 plus people have been reusing their pet’s name as the password for multiple things, including their cryptocurrency wallets. And some researchers estimate $4.4 million in cryptocurrency was stolen on October 25, using private keys and passphrases stored in stolen LastPass databases. LastPass is a password manager that had a serious breach in 2022. Is that correct?
Josh Long 26:19
That’s right, it was 2022. It happened around earlier mid August, I think, when LastPass was originally hacked. And so over time, over the next few months, LastPass started to say a little bit more about what actually happened. And eventually we came to learn that a lot of LastPass databases were compromised, a lot of us so user databases that actually stored passwords were leaked and made available in the wild. Some of those vaults did not use very good passwords to protect all of the other passwords. And some of them also had some outdated technology that they were using to sort of protect all the data inside those vaults. And so long story short, there’s LastPass vaults that are out there in the wild. And many of these at this point have been breached. So attackers have gotten into these vaults, and now know all the passwords that these particular people who had a vulnerable vault had used across the web. One of the things that bad guys have been looking for is cryptocurrency wallets. So they want to see if there’s any information in these LastPass vaults that are vulnerable, that could give them access to somebody’s cryptocurrency wallet, so then they can clean out the wallet steal all their cryptocurrency, apparently, according to this latest report, $4.4 million in cryptocurrency was just stolen from these based on information from these LastPass databases just last week on October 25.
Kirk McElhearn 28:00
Okay, it’s worth reminding you that if you use your pet’s name as a password, you should change your pet’s name every six months to be safe.
Josh Long 28:07
In all seriousness, make sure that you’re using a really good strong password for your password vault. At this point, we can’t recommend using LastPass anymore. So use another trusted Password Manager. You could even use apples. Apple has its own password manager that’s built into macOS and iOS and it does a great job. It’s pretty decent. And they also just implemented a new feature in iOS 17 and macOS Sonoma. You can now even share passwords with other family members and things like that. So they’ve got password sharing. Now that’s that was kind of a premium feature of a lot of password managers for a long time.
Kirk McElhearn 28:47
Okay, we’re November 1 and November means Black Friday, and I’m sure we’ll talk about shopping on Black Friday in the coming weeks. Am I mistaken? Or is this the first year with Black Friday sales have started on November 1, because even the UK I’m seeing a lot of retailers already starting Black Friday sales. It’s ridiculous.
Josh Long 29:04
And this is something that happens every year. There’s there’s sort of creep.
Kirk McElhearn 29:09
But on the first of the month. I don’t remember it happening that early. This seems to be the first it’s like just yesterday it was Halloween, right? And then all of a sudden boom. Here’s Black Friday sales.
Josh Long 29:19
A couple of weeks ago I was at a hardware store. It was like weeks before Halloween and there was already Christmas stuff in the hardware store right? They’re already selling trees and ornaments and this is getting ridiculous. And now we’ve got the Black Friday creep as well. It’s inevitable, right? Pretty soon we’re going to have Black Friday deals starting October 1 in a couple of years I’m sure.
Kirk McElhearn 29:43
Okay, at some point in the next couple of weeks we’ll reiterate some of our safe shopping tips for Black Friday. So you don’t get scammed and so you do so in total security. Until next week, Josh, stay secure.
Josh Long 29:54
All right, stay secure.
Voice Over 29:57
Thanks for listening to the Intego Mac podcast, the voice of Mac security with your host, Kirk McElhearn, and Josh Long. To get every weekly episode, be sure to follow us on Apple podcasts, or subscribe in your favorite podcast app. And, if you can, leave a rating, a like or review. Links to topics and information mentioned in the podcast can be found in the show notes for the episode at podcast.intego.com. The Intego website is also where to find details on the full line of Intego security and utility software. intego.com.