Apple’s latest OS updates patch a serious vulnerability, one that was already supposed to be patched. The tide may be turning in how governments view backdoor access to encrypted data. And Apple has announced it’s delaying new personalized Siri features by another year. We have views.
If you like the Intego Mac Podcast, be sure to follow it on Apple Podcasts, Spotify, or Amazon.
Intego Mac Premium Bundle X9 is the ultimate protection and utility suite for your Mac. Download a free trial now at intego.com, and use this link for a special discount when you’re ready to buy.
Get Apple security news delivered straight to your inbox, for free. Intego’s twice-monthly newsletter will keep you informed about Apple-related privacy and security, along with tips and tricks for getting the most out of your Mac or iPhone. Subscribe for free—no strings attached.
Voice Over 0:00
This is the Intego Mac podcast—the voice of Mac security—for Thursday, March 13, 2025. This week’s Intego Mac Podcast security headlines include: Apple’s latest OS updates patch a serious vulnerability, one that was already supposed to be patched. The tide may be turning in how governments view so called back door access to encrypted data. And Apple has announced it’s delaying new personalized Siri features by another year. We have views. Now here are the hosts of the Intego Mac podcast. Veteran Mac journalist Kirk McElhearn and Intego’s chief security analyst, Josh Long.
Kirk McElhearn 0:46
Good morning, Josh. How are you today?
Josh Long 0:48
I’m doing well. How are you, Kirk?
Kirk McElhearn 0:50
I’m doing fine. So it’s Groundhog Day again. In other words, we have another Apple update, but this one’s kind of interesting, because not only are Apple operating systems patched for a serious vulnerability used in sophisticated attacks, as Apple says, but also Google has patched Chrome. And I was interrogating you before we started to try and figure out why a web based vulnerability on Apple devices could affect the Chrome browser, which doesn’t use WebKit, which is what Apple devices use. Tell me about this new zero day vulnerability.
Josh Long 1:26
All right, so here’s what Apple says about this update. They say that this is a WebKit vulnerability. They say the impact is that maliciously crafted web content may be able to break out of the web content sandbox, and they say this is a supplementary fix for an attack that was blocked in iOS 17.2
Kirk McElhearn 1:47
Wait, what iOS 17.2 ?
Josh Long 1:51
Yeah, I know. 17.2 came out in December 2023 December 11, 2023 (So 15 months ago?) Yes. And Apple goes on to say that Apple is aware of a report that this issue may have been exploited in an extremely sophisticated attack against specific targeted individuals on versions of iOS before iOS 17.2
Kirk McElhearn 2:13
Extremely sophisticated. I believe last time it was just sophisticated.
Josh Long 2:18
In any case, what I think is happening here. This notably, I think, back in late January, in the point three releases. So this was was like iOS 18.3 Mac OS, Sequoia, 15.31 of the vulnerabilities that they fixed in that round of updates was also something that they said was exploited before iOS 17.2 so it’s kind of funny. It makes me think that some Apple researchers are looking, they’re going back and looking at past, perhaps Pegasus, or some similar sort of, you know, chain of exploits from some particular threat actor, right? They’re probably going back and looking at how these things were accomplished, and figuring out maybe similar methods, and trying to block other ways of somebody being able to exploit similar vulnerabilities. So the way that Apple put this, this is a supplementary fix for an attack that was already being blocked in 17.2 so that makes me think that Apple’s doing something to make it more hardened, right, to harden its operating systems more against similar types of attacks.
Kirk McElhearn 3:36
So to me, it sounds like there’s a vulnerability, and that there’s a layer above the vulnerability, which is the patch, but someone found a way around the patch, and they’re coming in from the side to get to the same vulnerability that’s not fixed, but it rather mitigated, right? Which kind of suggests it’s a hardware vulnerability, in other words, something that there is a vulnerability in the hardware that can only be patched by a level of software above it.
Josh Long 4:05
Well, I’m not sure that it’s necessarily a hardware vulnerability, although there is an interesting detail related to hardware in Google’s notes. So this is very unusual, that Apple will patch something and Google patches it at basically the same time, Google technically released its patch for the Chrome browser on Monday, and then Apple released its patches for all of its operating systems on Tuesday. It’s the same CVE number, so this is a uniquely identifiable number that Apple assigned to this vulnerability, and Google patched the same vulnerability for Chrome, and therefore chromium so all other chrome based browsers have to be updated as well. And what they say is a little different. They say this was an out of bounds write issue in the GPU or graphics processing unit on Mac, is how they put it. And they say this was reported by Apple security engineering and architecture or SEER on March 5, 2025.
Kirk McElhearn 5:08
Okay, so Apple operating systems use WebKit. Google’s Chrome browser uses chromium. They’re totally different. So it’s not in the actual browser here. And also Google updated chrome from Mac, Windows and Linux, right?
Josh Long 5:24
Well, that’s another thing that’s a little bit unclear to me, exactly what got patched here for what operating systems, because Google says in its release notes, out of bounds, right in GPU on Mac, implying that this particular vulnerability only really impacts Macs. But then I noticed that in Vivaldi’s release notes for their version of this patch, they don’t specify that it’s Mac specific. So it’s not really clear whether this vulnerability may impact other platforms besides, you know, Apple hardware, it’s all a little bit murky, and we don’t really have a lot of details. There’s no sort of third party database that has more information on this. So without somebody reverse engineering these patches and seeing exactly what really is going on here, it’s not really clear at this point.
Kirk McElhearn 6:18
Okay, so Apple is patching something they patched, or patching something around to fix something that they already patched. And there have been maybe one or two other cases where they’ve done this. Why would they be, you said, hardening earlier. But why would be they be doing this sort of thing to patch on top of a patch or next to a patch?
Josh Long 6:39
Yeah, I think maybe what Apple is trying to do here is to kind of have a more defense in depth strategy. So the idea is that they they want to put layers of security in place so they’ve already patched it in a certain way, now that they’ve gone back and, like, reassessed how they patched it before they found maybe another layer on top of that, that that is even better, or they found an alternative way to fix this flaw. They did assign it a different CVE numbers. So that almost implies that they found a different way to exploit that type of vulnerability, or something like that. But you could call this maybe a sort of defense in depth thing. So it was technically patched in 17.2 but now they’re just making sure that similar vulnerabilities are going to be harder to exploit on Apple platforms in the future.
Kirk McElhearn 7:33
So defense in depth, that’s an interesting concept. That’s like putting three locks on your front door or wearing a belt and suspenders.
Josh Long 7:40
Yeah. It’s kind of like that. And sometimes when, when that term is used, they’re talking about a multi layered approach, so that if one particular security measure fails, there’s another in place to prevent or mitigate an attack. So that’s the that’s the idea is having sort of multiple safeguards in place.
Kirk McElhearn 7:57
Okay, so we want to talk about encryption. We talked a few weeks ago about how Apple let us know subtly that the UK was demanding a back door into iCloud encryption. The UK government wanted to access people’s encrypted iCloud data if they have advanced data protection turned on. Apple instead of complying with this, they turned off or they’re no longer offering advanced data protection in the UK, people have it turned on that we don’t know yet. What’s going to happen when it gets turned off. Apple is challenging the legality of this, according to some press reports. And at the same time, a bill in France that was requiring an encryption back door in messaging apps has been defeated, or at least that part of the bill has been defeated. And we’ll link to an article in TechRadar, and it’s kind of interesting because it mentions that the French government recommends a certain messaging app for members of government because of the encryption, and it’s safe. And yet, there was this bill that they wanted to remove encryption from messaging apps, or at least have a back door, which could allow foreign actors to get access to their messages. And it kind of when you look at the French thing, you kind of realize that, you know, the two aren’t compatible. You can’t have the security of people, whether they’re in government or police or whoever, and have this encryption back door.
Josh Long 9:14
The Swedish government wants to implement something similar, where they basically break all encryption, or back door, all encryption so they can decrypt anything they want to. Well, I’m not exactly sure how that would work, but that’s the idea behind it. And the Swedish Armed Forces wrote to the Swedish government the legislators, and said that this legislation couldn’t be realized without introducing vulnerabilities and back doors that may be used by third parties. Basically, they’re saying, Look, you can’t really do this. Like, if, if you weaken encryption, that weakens it for everybody, including for us. Like, we use encryption in the armed forces, like we need encryption to make sure that other people can’t intercept our messages and decrypt them. So, like, you can’t really. Have it both ways.
Kirk McElhearn 10:01
What’s interesting is this seems to be a trend that governments are thinking about this, but it’s also a trend that a lot of the lawmakers are realizing the the paradox of trying to weaken encryption and the fact that it makes it weaker for all of us. I mean, if encryption is weakened, I’ll link to an article from a year or two ago when we talked about how encryption is used everywhere, from your banking apps to accessing websites using HTTPS, all the encryption used in everything we do.
Josh Long 10:35
This reminds me, not too long ago, we talked about SaltTyphoon. Remember, this was a group that was evidently had already infiltrated, like all the telecommunications, all the major telecommunications networks in the United States, and so the FBI was warning Americans, you better start using signal to like have encrypted messaging, because we can’t guarantee that your text messages aren’t being intercepted by foreign adversaries. So it’s it’s really interesting to see how, like, you know, the same governments that are concerned about encryption being a thing that’s in place are also sometimes, in other cases, telling people that they need to be using encryption. It’s just sort of like a left hand doesn’t know what the right hand is doing. It’s kind of thing nobody can seem to come to an agreement. Or there’s different people within governments that have completely polar opposite opinions on things like this.
Kirk McElhearn 11:32
I think the problem is that most people don’t understand what this means. And you know, legislators, lawmakers, they’re not necessarily very tech savvy. I mean, you see some of them. Sometimes you see some video of these people tapping on their phones like, you know, three year olds. They don’t really know how to use them. So they don’t understand the tech. Now, they should be getting advice from people who do understand the tech, both inside government, outside government, and actually, in the French case, it was businesses who gave this information to the people voting on the bill. I find the UK’s position on this particularly disturbing, because this has been discussed for years. There have been rumblings about this, you know, in previous governments, and we’re still back at the same place. It’s interesting that Apple is challenging the legality of the UK’s demand, even though I don’t think Apple has actually said this, it’ll be interesting to see if this actually goes to court and we can get some sort of a legal decision saying that we have the right to encryption to protect our data. Okay, very quickly, before the break, there has been a class action suit against Apple for the paltry five gigabytes of iCloud storage that they have been giving for 14 years. I think that no matter how many devices you have, you only get five gigabytes. And you had five gigabytes back when an iPhone had eight gigabytes of storage. And now that you can get an iPhone with a terabyte of storage, you still get the five gigabytes. This lawsuit was thrown out, so we have an article on Apple insider that says, don’t expect cheaper iCloud storage. I kind of think Apple is eventually going to have to increase this, and it’s going to be like, you know, we’re doing this because we like you and that sort of thing. They’re going to come out and find a way to not look like the Scrooges that they are.
Josh Long 13:16
Well, the fact that there was a class action lawsuit against Apple in the first place, means that there are a lot of people who are really upset with Apple about this, right? Like, the least that Apple can do is throw us a bone, give us a little bit more, like, basic storage, right? I mean, like, this is not really all that complicated. It’s not that difficult to do. And really, realistically, most people aren’t going to be be using that much extra storage, right? Like it’s literally just giving users what they’re asking for. And it doesn’t really cost Apple all that much. It wouldn’t cost cost them that much to do that.
Kirk McElhearn 13:53
Okay, we’re gonna take a break. When we come back, we are going to talk about some malware, some scams, and some Apple not very intelligence.
Voice Over 14:03
Protecting your online security and privacy has never been more important than it is today. Intego has been proudly protecting Mac users for over 25 years. And our latest Mac protection suite includes the tools you need to stay protected. Intego’s Mac Premium Bundle X9 includes Virus Barrier, the world’s best Mac anti-malware protection, Net Barrier, powerful inbound and outbound firewall security, Personal Backup to keep your important files safe from ransomware. And much more to help protect, secure and organize your Mac. Download the free trial of Mac Premium Bundle X9 from intego.com today. When you’re ready to buy, Intego Mac Podcast listeners can get a special discount by using the link in this episode’s show notes at podcast.intego.com. That’s podcast.intego.com and click on this episode to find the special discount link exclusively for Intego Mac Podcast listeners. Intego. World class protection and utility software for Mac users made by the Mac security experts.
Kirk McElhearn 15:14
This week’s malware is a new version of x, set x, c, s, s, e, t. How do you pronounce that?
Josh Long 15:21
I’ve always pronounced it x c s set. I’m not sure how you’re supposed to pronounce it excess it. Interestingly, Microsoft actually said about three weeks ago, they put up a really extremely long post about this on X, about this new version of XCSSET that they found, and they gave no details that would allow any of their competitors in the sort of antivirus space be able to identify, you know, specific samples and ensure that they were protecting their customers, which was really odd and kind of upset a lot of people within the anti malware community. So finally, this week, Microsoft released a full blog post with all of the indicators of compromise as they’re called, which includes hashes and so now other malware researchers can examine what exactly Microsoft found and verify that their products are fully up to date and able to catch these. This new version of XCSSET Intego has has done our analysis, and we’ve found that we’ve already been detecting these apparently new samples with signatures that that date back multiple years. So if you have Intego software, you’re already protected from even the latest variants of XCSSET malware, by the way. It’s really interesting malware, though. The whole story behind it is is worth checking out if you if you don’t remember that malware, essentially, it was malware that targeted developers, and was probably one of the earliest cookie stealing malware that I remember writing about on the Mac, so definitely check out the article. We’ll link in the show notes to our August 2020 article called Mac malware exposed XCS at an advanced new threat.
Kirk McElhearn 17:11
Okay, in scam-watch the latest phishing text message scam is warning you that you have to pay a parking fine. And apparently some of this is happening in New York City, and you have to pay a $35 fine if you haven’t paid your unpaid parking charge. What’s interesting about this is that a lot of these scams, when they come in as text messages, the links aren’t live, so you can’t tap them or click them.
Josh Long 17:39
But this one is the way that this works is that, instead of doing like we often see with these sort of scam, phishing text messages, they’ll often say something like, you know, copy this and paste it into your browser, because they know that when they text these links, that they’re not going to be active links. However, what’s interesting is that Apple actually identifies Google.com as a trusted domain, and so when they see that in a text message, they will enable that as a clickable, or well tappable link. And what’s interesting about that is what the bad guys are doing is they’re using a redirect that starts out on Google.com so if you tap on this link, it will take you into Safari, or whatever your default browser is, and then it’ll give you an interstitial page. So it’ll say, like the this website is trying to redirect to, and then the URL of the website that you’re about to go to. And so if somebody taps on this in a text message, they’re going to say, oh, yeah, of course, it’s trying to redirect me to the to the page where I can pay my parking ticket. And so they will just can tap to continue, and what you actually end up on is a fishing page. So they’ve disguised the fishing page by putting it behind a Google wall that enables that link to be tappable. Is there any way Google can stop this? Oh, yeah, absolutely. There’s no reason why Google couldn’t stop this. They could say we will only allow redirections to known safe domains. That would be the ideal way to do it. And so then, instead of just relying on Apple having a list of safe domains that are tappable, Google would also have its own list of safe domains that are okay to redirect to, right? So you’d have a couple of layers defense in depth, right? That would be a good thing, but an alternative, at the very least, like Google, should be saying, first of all, we don’t know where the source of this came from, why are people trying to redirect to this supposed New York City parking site through us when they didn’t come across us through Google search results? Like, why? What’s going on here? Like, it seems a little suspicious.
Kirk McElhearn 19:57
I was going to ask about the structure of the URL. And if you follow the link in our show notes to the bleeping computer page, you can see it’s Google.com/url question mark, q equals and then the other the other domain, is that the kind of link you get when you click on a Google search result. In other words, is this redirection structure something that’s just built into Google.
Josh Long 20:20
It looks like what’s going on here is that this format of the URL is used by a couple of different things. It may be used by Google Docs, like when you have a link in a Google Doc. It may also be used by a Google Analytics so maybe there’s a link in a newsletter or something, and you want to track it with Google Analytics, if you’re the person putting out the newsletter or the company putting out the newsletter, and so you’ll do this redirect. Now, normally you won’t see this interstitial page saying the previous page is trying to send you to but when you try to go to it from a cold link, meaning you’re coming from someplace outside of a browser, like your text message, that’s when Google will put up the redirect notice. So it does, it works, it’s it’s working as it’s designed to however. It would be nice if Google had immediately detected that this was a phishing page and blocked it and not allowed you to be redirected to it.
Kirk McElhearn 21:21
Okay, in our last episode, we were ranting a bit about Apple Intelligence and the bait and switch that Apple was advertising their new devices, particularly the iPhone, as being this magical device that does all these wonderful things, and they had these commercials of people using Apple Intelligence to find all this information. Well, since our last episode, Apple has announced that they are delaying the, quote, more personalized Siri feature than Apple Intelligence. And, you know, we don’t know how long they’re delaying it for. It’s like, what do they say sometime in the next year, which I would think of that as by December 31 but you think that’s like, within the next 12 months? What are they doing at Apple? Seriously? What are they doing that? They announced this last June. Basically, they announced something they didn’t know how to build, and they’ve discovered how difficult it is.
Josh Long 22:10
This is the problem with pre announcing features that are not even developed yet, right? Like, it’s one thing if Apple is like, almost there, and they know that it might take them an extra month or two, and maybe in the point 1.2, point even, point three, release of an operating system, maybe they’ll roll out some some of these features that are mostly done but need a little bit of fine tuning before they put them out, but something like this, If it was really not far enough along in development that they could definitively commit, and, you know, legitimately commit to this coming within this operating system cycle, then Apple shouldn’t have announced this. They shouldn’t have recorded all these ads like showing this apparent feature that now might get delayed till like iOS 19, and whatever the next Mac OS is going to be called. So we don’t know for sure. The the statement that Apple put out to a handful of specific people in the press, bloggers and vloggers and so forth, was that it’s going to take us longer than we thought to deliver on these features, and we anticipate rolling them out in the coming year. Now, that’s the part that you could interpret different ways. I would again, my interpretation of that is in the coming year, you could, on the on the negative side, interpret that as meaning next year, because the coming year from now would be 2026, to me. But that could also mean some time within the next year, so sometime between now and a year from now. So in any case, that still doesn’t really clarify. Does that mean it’s coming in iOS 18? Is that coming in iOS 19? Like we don’t really know. John Gruber of the Daring Fireball, speculates, we know it’s not coming in 18.4 because we already have the betas of that. It’s not in the betas, and it’s probably not coming in 18.5 which is likely to come out before WWDC, because, well, what would be the point of putting out this notice to the press that, Oh, these are a little delayed, if it’s just going to be in the next version, right? And so that implies that it’s somewhere even further beyond that, meaning, at the very least beyond WWDC. And John Gruber speculating, maybe not even until the next version of iOS coming out this fall. That’s crazy.
Kirk McElhearn 24:40
Gruber points out that if the entire industry weren’t in the midst of a generative AI LLM mania, that Apple Intelligence wouldn’t have been announced until this year’s WWDC, not last year’s. And we’ve been saying that all along, that Apple was playing catch up, that they weren’t really working on this, and that’s why the only iPhones other than the iPhone 16. That support these features are the iPhone 15 Pro that’s why they updated the iPad Mini to an A 17 Pro chip to be able to run it. That’s why they’ve not updated the cheapest iPad. We talked about that last week, because people who only pay $350 for an iPad don’t deserve Apple Intelligence. But this shows that this is it’s apples. Just they’ve lost control of something here, because this was their main selling point. In fact, it’s still the main selling point for all these devices. When you look at a new device, Apple Intelligence is all over. I mean, here’s the Mac studio. More power to you, built for Apple Intelligence.
Josh Long 25:37
Right? In fact, Apple still, to this day, they’re still releasing more and more ads that focus on Apple Intelligence now, at least now, thankfully, they’re focusing on features that actually currently exist and not like hypothetical future features that we might get someday. But yes, Apple is really focusing on Apple Intelligence in all of their marketing materials right now, I’ve seen some calling this a bait and switch. Yeah, you even brought this up last week. And when I first saw that term being thrown around, I kind of was like, Well, I don’t know if I’d go that far, but the more I’ve thought about it, the more I’ve realized, you know, it was, it was the whole of all of these Apple Intelligence features they announced at WWDC last year that made me feel like, okay, I’m gonna upgrade early. I’m gonna buy a new phone this year instead of waiting another two years, like I normally would my usual four year cycle. I broke out of that specifically because of all of these features that were promised as part of Apple Intelligence. I’m disappointed with some of them that they the image generation and Genmoji, like, that’s it’s garbage. It’s unusable. I will never use it again, probably, unless it gets significantly better. And, you know, and the writing tools, I mean, it’s okay, but I don’t really use it as often as I thought I would. But it’s really disappointing that they they said that you would be able to talk to Siri and have it understand all this context about you, the things that were in this video that we talked about last week that now Apple has made private. You can’t even view this advertisement anymore on Apple’s YouTube channel because they’ve made it private, they don’t want you to remember that there, they put out this ad showing a feature that doesn’t even exist yet. And matter of fact, Apple has also been actively updating a bunch of pages on its website. Just this morning, I read an article about how a bunch of pages that reference Apple Intelligence now have some additional disclaimers saying things like series, personal context, understanding, on screen awareness and in app actions are in development and will be available with a future software update. Again, very ambiguous as to the time frame or this feature is in development and will be available with a future software update. So yeah, thanks. We know, but that doesn’t really help us much.
Kirk McElhearn 28:07
The thing is, they want to make Siri the ultimate AI tool. And I don’t think most users want that much. They just want Siri to work for like, simple things, and I’ll just give an example. Apple operating systems have what are called focus modes. And these are different sort of Do Not Disturb modes that you can use. And I have one that I call podcasting. So when I’m podcasting, I’ll still get notifications if I get a message from you, Josh, or from our producer, Doug, or for certain other people that I’m involved in in podcast. And if I go to my phone and I say to Siri, turn on podcasting focus. It starts playing a random podcast. It doesn’t turn on the podcasting focus. And this is like an Apple built in feature in the operating system. And yes, I created the name podcasting. If I tell it to turn on, do not disturb. It’ll do that. If I tell it to turn on sleep mode, it’ll do that. But it can’t understand that I have a custom name in a focus mode, and it starts playing a podcast. So I guess we’ll be talking about this for a while, until this comes out in 2029 and then by that point, it’s going to be outdated and there’ll be something new. So that’s enough for this week, Josh, until next week. Stay secure.
Josh Long 29:16
All right. Stay secure.
Voice Over 29:19
Thanks for listening to the Intego Mac podcast. The voice of Mac security with your hosts, Kirk McElhearn and Josh Long. To get every weekly episode be sure to follow us in Apple podcasts or subscribe in your favorite podcast app, and if you can leave a rating, a like or a review. Links to topics and information mentioned in the podcast can be found in the show notes for the episode at podcast.intego.com. The Intego website is also where to find details on the full line of Intego security and utility software. intego.com.
