The Mac Security Blog

Intego Mac Security Podcast

Reverse Engineering – Intego Mac Podcast, Episode 393

Posted on by

  • Urgent: macOS Sequoia 15.4.1, iOS 18.4.1 address 2 zero-day vulnerabilities
  • Josh: Here’s why you should stay on the very latest Apple OS
  • Technical analysis of CVE-2025-31201
  • Apple drops ‘available now’ from Apple Intelligence page
  • AI-hallucinated code dependencies become new supply chain risk
  • Cookie-Bite attack PoC uses Chrome extension to steal session tokens
  • OpenAI tells judge it would buy Chrome from Google
  • Phishers abuse Google OAuth to spoof Google in DKIM replay attack
  • Whisky development ends on macOS to help Wine flourish
  • Is 2025 the year of Mac gaming? Top 5 reasons to be a Mac gamer
  • Instagram Launches ‘Edits’ App to Replace CapCut

    • If you like the Intego Mac Podcast, be sure to follow it on Apple Podcasts, Spotify, or Amazon.

    Intego Mac Premium Bundle X9 is the ultimate protection and utility suite for your Mac. Download a free trial now at intego.com, and use this link for a special discount when you’re ready to buy.

    Get Apple security news delivered straight to your inbox, for free. Intego’s twice-monthly newsletter will keep you informed about Apple-related privacy and security, along with tips and tricks for getting the most out of your Mac or iPhone. Subscribe for free—no strings attached.

    Transcript of Intego Mac Podcast 393

    Voice Over 00:00
    This is the Intego Mac podcast—the voice of Mac security—for Thursday, April 24 2025. This week’s Intego Mac Podcast, security headlines include: The Better Business Bureau advises Apple to curb its deceptive Apple Intelligence marketing. What is “slopsquatting”? It doesn’t sound very appealing, but it is to cyber criminals. And we’ve got another reason why phishing scammers love Google services.Now here are the hosts of the Intego Mac podcast. Veteran Mac journalist Kirk McElhearn and Intego’s chief security analyst, Josh Long.

    Kirk McElhearn 00:44
    Good morning. Josh, how are you doing today?

    Josh Long 00:46
    I’m doing well. How are you Kirk?

    Kirk McElhearn 00:48
    I’m doing just fine. I’m gonna ask my usual question, do you know what day it is today?

    YouTube is twenty years old

    Josh Long 00:51
    Today is the 20th anniversary of YouTube.

    Kirk McElhearn 00:56
    I would say that one of the things that changed the internet and the world the most was YouTube, the ability to have videos on demand and seeing what it’s become now, with so much direct on YouTube, but also so much quality content that some companies use to actually provide paid content, you can subscribe to content on YouTube. You can watch videos about, I mean, literally everything.

    Josh Long 01:20
    In fact, a lot of people use YouTube as a search engine. Now, if they want to how to instead of going to Google, they’ll just go to YouTube and say, How do I do this? And chances are somebody’s made a tutorial video of it. It’s definitely a platform that has grown far beyond, I think, its developers ever imagined that it would and I use it every day. I really think that YouTube has made overall, I would say, a positive impact on the world, even though they’re like you said, it’s a lot of direct.

    More information on the recent Apple operating system updates and reverse engineering

    Kirk McElhearn 01:52
    Okay, we wanted to just do an update on last week’s security updates.

    Josh Long 01:56
    Well, we already talked about what exactly was patched last week. We did get that information right at the end of the show the Mac OS Sequoia, 15 point 4.1 iOS and iPad OS 18 point 4.1 updates they address two zero day vulnerabilities. What I wanted to follow up on is that a team of security researchers has put out a technical analysis of this patch that Apple had just released, as we recorded on Wednesday, that’s the day that the updates came out. Four days later, they released a blog post talking about how they reverse engineered the patch so they compared the iOS 18.4 update with the iOS 18 point 4.1 update, they looked at what was different between the two, and were able to figure out exactly what this vulnerability was that Apple said was fixed, or one of these vulnerabilities that was fixed in this update. How did they go about doing this? Well, there’s a process called reverse engineering, and so they were able to to compare these two patches. There’s a whole bunch of techniques. We’ll link to the article. If you want to know the really technical nitty gritty details, they cite a whole bunch of sources. This is information that’s freely available online, how to do this kind of reverse engineering. And so what I wanted to point out about this is that the bad guys do this too. They’re not writing blog posts about this, but they are absolutely using techniques like this to figure out exactly what was patched, and they’re then using that to now have another vulnerability in their tool kit that they can use against people who have not fully updated their operating systems. This is why it’s so important to make sure that you stay on the latest Apple operating system and to patch pretty quickly after these come out, because other people, including bad guys, are going to be reverse engineering those patches and figuring out how to use them against you if you have not updated your operating system yet.

    Kirk McElhearn 04:01
    So to simplify, if I understand correctly, they look at all the files that are in the update, which is gigabytes of files for some of these updates, they compare them to previous versions, and they find what’s different. And that is what leads them to figure out, with some complicated process, which may involve dozens of files that are interlinked what the vulnerability was, right?

    Josh Long 04:22
    And once, once they figure out what that vulnerability is, then they can figure out, okay, well, here’s how I can potentially exploit that vulnerability. Remember, if you’re on some older version of Mac OS, before Sequoia, like, for example, if you’re on Mac OS Sonoma, right now, Apple is, I believe, beta testing. The next minor patch to Mac was Sonoma, and they may or may not patch this, these two vulnerabilities that were zero day vulnerabilities, right? Apple makes a big deal about these are highly targeted, you know, attacks against specific individuals on I. IOS and so they make it sound like, oh, you know, it’s not that big of deal, right? Yes. I mean, sure, these were vulnerabilities that were exploited against but it’s, it’s specific users, right? So you just don’t even need to worry Mac users. It was never used against you, as far as we know. But the thing is, Apple may or may not actually patch these two vulnerabilities for older versions of the operating system, but even if they do, you’re going to have to wait a while after these patches were available for the latest operating system. This is not the first time that something like that has happened. Apple actually does this fairly often, where they’ll patch these zero day vulnerabilities for the current operating systems, and then in the next patch cycle, they’ll go back and patch it for the previous operating systems. So just a reminder, stay on the latest OS and update quickly.

    Apple Intelligence page changes

    Kirk McElhearn 05:51
    Okay, we’ve been talking about Apple Intelligence since, I guess, last June, when Apple first announced it. And did you realize that Apple Intelligence is no longer available now. Of course, it is. Well it’s not. If you go to the Apple Intelligence page on Apple’s website, and we’ll link to this in the show notes, it no longer says available now, and this is because the national advertising division, which is part of the Better Business Bureau, recommended Apple discontinue or modify its available now claim, saying it reasonably conveyed the message that the AI powered features like priority notifications, Genmoji, image playground and a ChatGPT integration were available with the launch of the iPhone 16, which isn’t true, and not to mention the more advanced features that Apple has pushed back the fancy Siri that was supposed to be coming out A few months after iOS 18, and now we’re lucky to get it with iOS 19. And so the Apple Intelligence page no longer says available now. Now, to be fair, the iPhone 16 page doesn’t say available now, either it’s kind of Apple had before, available now with an asterisk and a footnote going down to the bottom saying some features in beta, etc, etc. So did they really need to keep this on for so long? Or is this just another sign of Apple’s confused marketing of this amorphous group of products?

    Josh Long 07:15
    Well, there have certainly been already people who are suing Apple over this and and this is, this is a big problem for Apple, right? This doesn’t look good, you know, depending on who you believe, if you, if you read John Gruber’s article that we mentioned from Daring Fireball a few weeks ago, you know, it, Apple may not have even really started developing these features and thought that they could develop these features sometime within the iOS 18 life cycle. But I do notice, though, that on Apple’s, and this is on Apple.com/Apple-intelligence, although they have removed that from the top the available now, they do still have some asterisks on a couple of things, and one of the little footnotes at the bottom still says some features will be available in software updates in the coming months, whatever that means. And then another one says will become available in a Mac OS software update in the coming months. So they’re still saying that on some of the pages, but you have to look a little more carefully to find that now on for some of these features.

    Kirk McElhearn 08:27
    To be fair, looking at this now and comparing it with all of the the magical experience we were going to have, that Apple presented in June and then in September, it looks pretty poor. So you scroll down and it talks about the writing tools. And pretty much every AI feature of every AI app has writing tools. Then it talks about image generation and image playground, which is kind of boring, and it talks about the start of a new era for Siri. And basically it says that if Siri can’t answer a question, it’ll send it off to ChatGPT. Then it goes on and mentions the sort of new, more natural, integrated, capable Siri that has been delayed and delayed, and that’s it. They talk about privacy. And then there’s nothing else in this under Apple Intelligence, it feels quite underwhelming, if you look at it this way.

    Josh Long 09:17
    And some of the things that they’re putting on this page, you have to scroll through a list of features before you eventually get to the things that have a little note at the bottom that says this feature is in development and will be available with a feature software update. But it is really disappointing that we still don’t have some of these features or even an ETA when we’re going to get these features. I am looking forward to Apple, giving us, hopefully a more accurate timeline for this at WWDC, but until then, I feel like this is a pretty big stain on Apple’s reputation.

    Kirk McElhearn 09:52
    In addition, they leave out some of the really good features, like the Cleanup feature in Apple photos, which is really quite good notification summaries. That’s kind of embarrassing for them, so they don’t want to mention that. It feels like this was a big misstep for Apple, and they’re trying to, well, they have no choice, because they’re looking really deceptive. And not even to mention this only works on certain devices. And you have to follow the two asterisks down to the very bottom, and you see it’s only the iPhone 15 Pro models, or the iPhone 16 models, or a whole bunch of Macs. And so we’re still stuck in this same kind of, you know, some people get Apple Intelligence, and some of the Apple Intelligence features don’t work. And so I don’t want you right? We’ve been beating a dead horse on this. We’ll talk about it again in June, unless something else comes up before we go to the break, we have a malware story about AI slop, squatting attacks. So if you’re not familiar with the term slop, it is something that describes the direct that AI creates. Could be aI writing could be aI images, etc. Squatting is when something impersonates something else. We talked about, typo squatting, like a website could be A-P-P digit one E.com, that looks like Apple.com so that’s typo squatting. So what exactly is slop squatting, and how do AI hallucinated code dependencies become a new supply chain risk, Josh, you have two minutes to explain this in English that everyone will understand.

    What is “slop-squatting”?

    Josh Long 11:20
    All right, well, if you’ve ever used an AI chat tool, you can ask it just about any question. And if you’re asking questions related to coding, maybe you want to develop your own app. One of the things that you might ask it is what open source packages are available to help me do this? And this is, by the way, across multiple different things, so ChatGPT, co pilot and others, about 5% of the time. They’ll give you some information that is not accurate. They’ll mention some code repository that doesn’t actually exist. And you won’t know that, of course, until you try to go there and access that code repository. But the thing that some researchers discovered was that this is not just a hallucinated result. Every time you get repeatable hallucinated results from some of these chat bots. So the problem here is that they’re talking about a particular software repository that doesn’t exist yet. But what the bad guys can then do is they can go to GitHub, for example, and they can register that name, and now they’ve got the a place where they can put malware. They can even, you know, clone another existing bit of software that already exists on a real repository, and then add some malware to it surreptitiously. So now, when people go to that repository that the chat bot told them about, they’ll be downloading malware and potentially even building that into apps that they’re developing.

    Kirk McElhearn 13:00
    Okay, so to quote from the bleeping computer article that we’ll link to, we’ll link to, unlike typo squatting, slop squatting doesn’t rely on misspellings. Instead, threat actors could create malicious packages on index like pi, pi and NPM, which are places where people store open source software named after ones commonly made up by AI models and coding examples. It’s worth noting that probably one of the biggest uses of AI today, at least a large language model, AI, which is something we don’t see, is people writing code for computers, developing apps, writing websites, etc. It’s huge because you’re not too worried about how the code sounds. You want it to work.

    Josh Long 13:39
    Just to give a little bit more information on the scope of some of these things, they say that while the number of unique hallucinated package names logged in the study was large, surpassing 200,000 they say 43% of those were consistently repeated across similar prompts, and 58% reappeared at least once within 10 runs. So that’s the problem is that these are repeatable things, so these hallucinations are not just one offs. They’re saying these non existent package names over and over again to multiple people over different prompts, and that’s why the bad guys can leverage this to put malware out there.

    Kirk McElhearn 14:18
    Okay, we’re going to take a break. When we come back, we’re going to talk about Google scams and Wine and Whiskey and those are not all one story that’s three different stories.

    Voice Over 14:27
    Protecting your online security and privacy has never been more important than it is today. Intego has been proudly protecting Mac users for over 25 years. And our latest Mac protection suite includes the tools you need to stay protected. Intego’s Mac Premium Bundle X9 includes Virus Barrier, the world’s best Mac anti-malware protection, Net Barrier, powerful inbound and outbound firewall security, Personal Backup to keep your important files safe from ransomware. And much more to help protect, secure and organize your Mac. Download the free trial of Mac Premium Bundle X9 from intego.com today. When you’re ready to buy, Intego Mac Podcast listeners can get a special discount by using the link in this episode’s show notes at podcast.intego.com. That’s podcast.intego.com and click on this episode to find the special discount link exclusively for Intego Mac Podcast listeners. Intego. World class protection and utility software for Mac users made by the Mac security experts.

    Warnings about using Chrome browser extensions

    Kirk McElhearn 15:38
    I feel like this is something you’ve talked about a lot, session cookies. So there’s a proof of concept attack called cookie bite that uses a Chrome extension to steal session cookies. So session cookies is a bit of text on your computer that says you’re logged in, basically. And if I could steal your session cookie to a certain website and put it in the right place, my browser would think that I’m you, is that right?

    Josh Long 16:03
    Right. And this is something that is has taken years, but is something that is on the horizon, that there will be a fix for this. But even today, this is still a really big problem. And the Steeler malware that we see on max all the time, by the way, this is the most common malware that we see on max these days, is stealer malware, and one of the things that it does is it steals cookies from your machine, because this is an easy way for bad guys to get access to a whole bunch of things, whatever sites you’re logged into. The latest news on this front is that there’s a proof of concept attack called cookie bite that is able to use Chrome extensions to steal these session tokens, these cookies, from your machine. I wanted to bring this up specifically because we’ve talked a lot in the past about browser extensions and how you need to be careful about only installing extensions from developers that you trust. Don’t just go install an extension because it sounds interesting and you think it might do something that you want your browser to be able to do. You can’t necessarily trust that it will behave in only exactly the way that they claim that it will and not do anything malicious in the background. So this is another example of why you need to be extra careful about installing extensions.

    Kirk McElhearn 17:24
    Isn’t it another reason why you shouldn’t use Chrome.

    Josh Long 17:28
    Well, it’s not just Chrome. I mean, most browsers are based on Chromium, which is the code base behind Google Chrome, not Safari. Well, not Safari and not Firefox. Those are, those are the two browsers that are basically doing their own thing right. They have their own engine and their own extensions and things like that. Basically every other browser can use extensions that were developed to work in Google Chrome, even so, I would say, you know, you should still be cautious about any extensions for your Firefox browser or even Safari, because, again, they might be able to do some things that you don’t want them to do.

    Will Google spin off Chrome?

    Kirk McElhearn 18:09
    So what if Google no longer owns Chrome? Do you think that would change anything?

    Josh Long 18:15
    Now that’s an interesting idea, isn’t it. I think that at least for this particular problem, I don’t think it’s going to change anything.

    Kirk McElhearn 18:22
    Well, because apparently open AI has told a judge in this trial that is maybe breaking up Google, that they would buy Chrome, which is kind of interesting, because Chrome is the most widely used browser around the world, and if open AI was able to get Chrome and put ChatGPT into it, that would mean that instead of people accessing Google’s Gemini in Chrome, they would all access ChatGPT.

    Josh Long 18:46
    Now, that’s pretty interesting, isn’t it? I don’t know how much it really matters which giant corporation owns the browser, right? I mean, presumably they’re going to still have the same team of developers who’s doing the primary development of the browser. I don’t foresee things changing a lot from like a security or necessarily privacy perspective, right? I mean, neither Google nor open AI has an incredible reputation for privacy, right? That’s not what these companies are known for. It is interesting to think of the possibility. I have noticed a trend in a lot of browsers rebranding themselves as an AI browser, even Microsoft Edge, if you search in the app store, like pull pull up the App Store on your phone and search for AI browser and see the results that you get. In my case, I got an ad at the top for Microsoft Edge, colon, AI browser. Really Microsoft Edge is an AI browser, and then opera, AI browser with VPN, arc search shows up next, and that’s another browser that has AI features built in. And then. Some others that I’m not as familiar with that I wouldn’t necessarily recommend that you use, then DuckDuckGo. Here’s here’s another example. Brave. All of these browsers have aI features built in, either directly, built into the browser itself or in the search results that they’re giving you. In the case of like DuckDuckGo and brave. They’re all trying to get in on this whole your browser is your AI companion thing. And so from that perspective, it wouldn’t really be a big surprise to see open AI taking over a major browser like Chrome.

    Scammers disguise phishing emails using Google service URLs

    Kirk McElhearn 20:35
    I think it’s more that AI is web search 2.0 or 5.0 whatever version we’re up to now that AI is a new web search, and people are realizing this, and instead of just defaulting to Google or whatever, they’re using AI tools, which gives them more than just a list of links and fewer ads and fewer malicious ads, let’s move on to scam watch, because this week We have something that means absolutely nothing to most people. The headline is, fishers abuse Google OAuth to spoof Google and D Kim replay attack. Can Can you turn this into English, please, for people who don’t know what this means.

    Josh Long 21:13
    Well, to keep it relatively simple, I will say that the problem here is that people are getting phishing messages that claim to be from Google. They appear to come from no hyphen [email protected] and they also contain a link that goes to something.google.com so all of this seems really plausible. It doesn’t look like a phishing email. What’s really going on here is that these attackers figured out a way that they could send an email that shows that it comes from from Google. It passes this you mentioned DKIM, D, K, i, m, which is the domain keys Identified Mail authentication method. The problem is that the actual sender of the message. The person who initiated this message that is now getting to you is actually a phisher, and they’ve found a way to sort of pad this message so that it contains a sites.google.com, link. Have you ever heard of sites.google.com before?

    Kirk McElhearn 22:18
    I have, but only in phishing emails. Isn’t there a similar one on Microsoft that we’ve talked about in previous weeks?

    Josh Long 22:27
    Well, sites.google.com is, is a place that people can upload their own content so individual users of Google services can run a website that’s hosted on sites.google.com this is a really, really old service that really doesn’t get a lot of use anymore, except by fishers. And this is exactly why. Is because there’s some legitimacy to have a something.google.com link, right, especially in this particular context. So what they’re doing with these links is that if you were to follow this sites.google.com link, it would take you to a page that, at first glance, looks very similar to a Google Sign In page, which would normally be accounts.google.com, but because you see that google.com in the web address bar, you might not really think anything of this. You might think that sites.google.com is just another legitimate place that Google will send you when you’re trying to sign in, and so that’s where the problem comes in. Is that basically Google is enabling people to more easily send phishing messages to others using a Google site.

    Kirk McElhearn 23:42
    Okay, just like PayPal and QuickBooks that we’ve mentioned in other scam alerts that are allowing users to generate fake invoices through their system.

    Josh Long 23:50
    Yeah, that’s one of the similarities here, is that emails appear to actually come from PayPal, and in fact, in the PayPal example that like you mentioned, these are actual invoicing services or billing services that are being exploited by these threat actors to send phishing messages. And in most of those cases, they were, you know, telling you to call a phone number for support that and that phone number, of course, was operated by the bad guys. In this case, it’s very similar, except this time, it’s a link that, again, plausibly could be actually from Google, because it has a something.google.com Remember, we’ve been talking about all these phishing messages that are coming over SMS, text messages or I messages even, and very often they use a deceptive domain. They don’t even have to do that. In this case, they’re actually something.google.com the only deceptive part about that is that sites.google.com means that it’s not actually Google that generated that page.

    Whiskey developer to cease development

    Kirk McElhearn 24:54
    Okay, a few weeks ago, we talked about an article that’s on the Intego Mac security blog. Is two. 2025. The year of Mac gaming, top five reasons to be a Mac gamer. And one of the reasons was that you could use whiskey, which lets you runs Windows games on your Mac. Apple insider has a very good headline, congrats. Whiskey development ends on Mac OS to help wine flourish.

    Josh Long 25:15
    That’s right, yeah, whiskey, Wine. Wine is, was originally sort of an acronym for wine is not an emulator. It’s a recursive acronym. It’s a jokey thing that sometimes software developers do. Wine is a technology that allows you to be able to run Windows apps on a Linux or Mac operating system. So what whiskey has done, it’s given you an easy way to be able to run apps using wine. So just the basic version of wine, you have to kind of use the command line so the terminal to get apps running, and it’s it’s complicated. It’s not something that the average person wants to do. Whiskey gives you a nice graphical interface to make it really easy to run games and other apps on your Mac that were designed to run on Windows. So the developer of whiskey, he’s an 18 year old college student, and he’s decided that he’s kind of bored with this project and he doesn’t really want to develop it anymore. I kind of don’t blame him. He mentions in his blog post about this, that there really is a better solution that’s already out there, one that works more consistently with a lot more games. And the only problem is that it’s not free. Whiskey was completely free. Code weavers has crossover, which costs $74 for 12 months of support, and it supports a much wider variety of games, and they do a lot of custom tweaking. They’re also running the latest version of wine, which whiskey was not. So you get all sorts of extra advantages. It’s just not free, and you can still use whiskey. It’s just not going to get regular updates anymore.

    Instagram’s Edits to go up against ByteDance’s CapCut for video editing

    Kirk McElhearn 27:01
    Okay. Finally, Instagram has launched an app to replace CapCut. It is called Edits. That’s one of these Apple type names for apps that mean absolutely nothing and that you can never search for on a search engine, like pages and Keynote and numbers etc. CapCut is the app from ByteDance, who makes TikTok, and it allows you to quickly and easily edit vertical videos that you can post on TikTok, but you can also post on Instagram.

    Josh Long 27:27
    Right CapCut is actually a really popular app. They also even have a Mac version of the app. You can run it on iPad as well. But the only problem is with it being developed by ByteDance, that means that just like TikTok, it could potentially be subject to bans. It could it could potentially get kicked out of a particular country’s App Store. It was briefly kicked out of the app store in the US, along with tick tock, during the brief period of time when it was banned. Currently, there’s a hold on that ban, and so you can download TikTok and CapCut from the App Store, but it remains to be seen what is going to happen, whether TikTok and other ByteDance apps will get spun off and sold to an American company or not. That’s a whole thing, and we don’t know how all of that is going to work out, but Meta saw this as an opportunity. Meta is the parent company of Facebook and Instagram, and now they’ve decided that they’re going to have their own app that does pretty much the same thing as CapCut. So that’s what edits is. They call it edits an Instagram app, which is funny because you remember threads. Threads is threads an Instagram app, or at least that’s how it was originally marketed. Now they just call it threads, which another social network that was developed by the people behind Instagram. One of the things that I wanted to point out is just that edits has a lot of the same potential privacy concerns that CapCut does. If you look at the what Apple calls the nutrition label of app privacy on the app store, and you compare the two side by side edits and CapCut, you’ll see that there’s a lot of similarity in data that’s linked to you. So in the edits app, there’s eight categories of data linked to you. In CapCut, there’s only five, but they also have one thing where there’s data used to track you, and that’s identifiers. So you really need to read the privacy policies that these companies have if you want to get all of the details on how these relate from a privacy perspective. But just something to be aware of there is a competitor. So if at some point CapCut gets banned from the US App Store, you’ll still have edits as an alternative. It just probably isn’t really protecting your privacy any more than CapCut did.

    Kirk McElhearn 29:52
    Worth noting that we don’t know the status of the TikTok ban, which has been on again and off again, and we don’t know where it is right now, but we’ll find out soon. Until next week. Josh, stay secure.

    Josh Long 30:00
    All right, stay secure.

    Voice Over 30:04
    Thanks for listening to the Intego Mac podcast. The voice of Mac security with your hosts, Kirk McElhearn and Josh Long. To get every weekly episode be sure to follow us in Apple podcasts or subscribe in your favorite podcast app, and if you can leave a rating, a like or a review. Links to topics and information mentioned in the podcast can be found in the show notes for the episode at podcast.intego.com. The Intego website is also where to find details on the full line of Intego security and utility software. intego.com.

    About Kirk McElhearn

    Kirk McElhearn writes about Apple products and more on his blog Kirkville. He is co-host of the Intego Mac Podcast, as well as several other podcasts, and is a regular contributor to The Mac Security Blog, TidBITS, and several other websites and publications. Kirk has written more than two dozen books, including Take Control books about Apple's media apps, Scrivener, and LaunchBar. Follow him on Twitter at @mcelhearn. View all posts by Kirk McElhearn →