Microsoft recalls Recall. An Arc browser impostor contains malware. We’ll tell you which older devices will be able to run Apple’s newest operating systems, and we discuss the security and privacy improvements Apple has announced for its upcoming OS releases.
If you like the Intego Mac Podcast, be sure to follow it on Apple Podcasts, Spotify, or Amazon.
Intego Mac Premium Bundle X9 is the ultimate protection and utility suite for your Mac. Download a free trial now at intego.com, and use this link for a special discount when you’re ready to buy.
Get Apple security news delivered straight to your inbox, for free. Intego’s twice-monthly newsletter will keep you informed about Apple-related privacy and security, along with tips and tricks for getting the most out of your Mac or iPhone. Subscribe for free—no strings attached.
Voice Over 0:00
This is the Intego Mac Podcast—the voice of Mac security—for Thursday, June 20, 2024. This week’s Intego Mac Podcast security headlines include: Microsoft pulls a highly touted but rather provocative feature from its latest Windows beta. An Arc browser impostor contains malware, and a malicious Google ad will trick you into downloading it. More older devices will be able to run Apple’s newest operating systems, and we’ll tell you which ones make the cut. And we’ll have a discussion on the security and privacy improvements Apple has announced for its upcoming OS releases. Now here are the hosts of the Intego Mac podcast: veteran Mac journalist Kirk McElhearn, and Intego’s Chief Security Analyst, Josh Long.
Kirk McElhearn 0:52
Good morning, Josh. How are you today?
Josh Long 0:53
I’m doing well. How are you, Kirk?
Kirk McElhearn 0:55
I’m doing just fine. We were talking about a new Microsoft feature a couple of weeks ago called “Recall”. And it turns out that Microsoft has recalled Recall.
Josh Long 1:05
Yes, something like that. So interestingly, Microsoft released a preview version of this operating system so that developers and others can kind of play with it and get to be familiar with this feature before it’s available widely to the public. And well, this preview version of Windows has already been pulled, Microsoft made it unavailable on June 10. So if you had been testing Recall, you can’t test it anymore.
Kirk McElhearn 1:36
Remind us of what Recall is.
Josh Long 1:38
Recall is a feature that is supposed to enable all kinds of AI enhancements to Windows. And the way that it works is it constantly take screenshots of everything that you’re doing on your device, now you can turn it off by app. So if there’s certain apps that you want to exclude, you can turn those off, and the Microsoft Edge browser in the in private browsing mode, it will automatically be off for those private browsing windows. But other than that, it’s constantly screenshotting everything that you’re doing. And so you know, it might get your credit card number, if you’re entering that into a site, it might get your social security number, it might get all kinds of really sensitive personal information about you. And do you really want AI that’s running on your device to have access to all of that information? I’m not sure that I entirely trust Microsoft with all of that.
Kirk McElhearn 2:34
It’s not just AI, it’s the fact that is a compendium of everything you’re doing. And apparently, hackers have already figured out how to exploit this and find that the screenshots were just JPEGs in a folder, they weren’t even like a secure database.
Josh Long 2:48
Well, yeah, exactly. So immediately, when Microsoft announced this feature, the first thing that comes to my mind is, that’s great until you get malware on your machine that now knows exactly where to go to find all of this really sensitive data about you. So yeah, and it’s, it turns out, they’re not even really doing anything to, as of this first preview, at least, they weren’t really doing anything to secure that data in any reasonable way. So this is all very easy to extract and exfiltrate if you had malware getting on that device. And yeah, and as you said, like even the screenshots themselves are not in any sort of protected database. So all you have to do is that dot jpg to the end of the file name. And well, now you can open it in any image viewing app, like how crazy is that. So you don’t even have to rely on extracting data from the AI, the local language model running on your machine, you can just look at the JPEGs. Like see everything that somebody has been looking at.
Kirk McElhearn 3:50
We’ll have to see if they bring this back. It’s something they’ve obviously been working on for a long time. And I think I said when we first talked about it, it sounds to me like a feature they developed for the enterprise market, because there is software already that businesses put on employees computers to see what they’re doing to track them. And it sounds like something that shouldn’t have been created for individuals. The whole idea is that you’ve been doing a whole bunch of research in the morning and you want to go back and find something that you can’t find. And so you type in something. And the with a combination of text and screenshots, the AI finds what you were doing, and that’s really practical. But as we’ve mentioned recently, steel or malware is very common. So this is malware that gets on your device, and basically exfiltrate as you like to say or steals data and files. And it seems like the security team at Microsoft wasn’t asked about this before it was released.
Josh Long 4:42
Exactly right. Like clearly they did not really talk to any security engineers before they decided that they were going to announce this new feature and also even make an operating system available that has this feature in preview. So kind of crazy, but at least for now, Microsoft is putting the pause on this.
Kirk McElhearn 5:00
So Intego has discovered some new malware. It’s a fake Arc browser, A-R-C. It’s a web browser. And this is not that common. It had a malware component written in AppleScript.
Josh Long 5:11
That’s right. Several weeks ago, there was a headline that I happened to come across in the news where someone was talking about the Arc browser, which is kind of this relatively brand new browser that has been available on iOS, and now macOS. And they even came out with a Windows version of it recently. And it’s kind of this hot new thing, whatever it’s, it’s, it’s still a browser, but they changed around some user interface elements and whatnot. So they came out with a new Windows version of it. And so somebody happened to notice that, guess what, just like we’ve been talking about happens a lot lately, there was a malicious Google ad that looked like it would take you to arc.net, which is the website for this browser. But in reality, it would actually take you to a malware site where you would get an infection if you downloaded and tried to run this app. And in that original write up, it didn’t say anything about Mac. But as soon as I saw that article, I was like, Oh, let me see if I can find it. I looked around. And I didn’t immediately find anything. But our anti malware team at Intego did come across samples of this. And we found a disk image that was clearly a Trojan horse version of made to look like the Ark browser. And one of the interesting things about it is that it includes as the stealer component of it. It’s AppleScript. It’s written entirely in AppleScript, which is kind of interesting. And we hadn’t seen this particular sample of AppleScript stealer malware before on the Mac, there had been just recently, like a week before, there was another report about some cleanup software that had used a similar AppleScript file. And turned out that what we found with this arc browser was actually an earlier version of that same Apple Script. So pretty cool discovery. But also, yeah, another reminder to be very, very careful about anything you click on in Google search results. Because if it’s a sponsored ad, especially, but really any results in Google, you do have to be careful.
Kirk McElhearn 7:13
Okay, we have a story from The Wall Street Journal last week. And we’ve talked about Screen Time. Occasionally, Screen Time is a feature that’s built into Apple’s operating system that lets you control your own Screen Time, but also control your children’s Screen Time, you can control which apps they can use, who they can contact, you can set up restrictions, according to their age, etc. It seems like there has been a bug in this for years that was reported three years ago by two security researchers. And when they reported it to Apple, they were told it wasn’t a security issue, and that they should submit a report via Apple’s feedback tool. And you know what happens when you do that to Apple’s feedback tool, it goes in the digital circular file
Josh Long 7:54
Exactly. Like Apple probably will not respond to you. What the researchers discovered was that with a particular character string, which they have not disclosed, if you were to use that string, now, you can bypass all of the screen time controls and get to any website that you want, if you had parental controls on any iPhone, iPad or Mac. So once this was published in The Wall Street Journal, then within the same day, Apple decided to contact the journalist who wrote this report and say, oh, yeah, we’re gonna fix that the next version of the operating system. So I guess we can look forward to that fix coming soon. If it’s not already out, by the time you listen to this episode.
Kirk McElhearn 8:37
So last week, we talked about new features coming in Apple’s new operating systems, macOS Sequoia, iOS 18, and iPadOS 18. And we want to just briefly talk about the security and privacy features in these operating systems, some of them we’ve already discussed. So we’ll mention them briefly, we have an article on the Intego Mac Security blog. The first and most important is the standalone Passwords app. And as we discussed, this is something that’s been a long time coming, and will be really useful to get people to better understand how important passwords are.
Josh Long 9:06
Right and to just realize that this functionality is built into their devices, because currently, it’s buried inside of the settings app, and people don’t know where to look for it or know it’s even there.
Kirk McElhearn 9:16
Another really good feature is locking and hiding apps. Now, if you’ve got young children, you’ve probably given them your iPhone or iPad from time to time to keep them busy. And you’ve had to unlock it. And they could do anything on if they could read your email. Not that they’re going to necessarily read your email. But let’s say a very young kid taps on an email and taps the Reply button and tap something in the autocomplete and it looks weird, or they can look at your banking information or whatever. This is also a long time coming to the ability to walk individual apps. So you’ll choose to lock the apps and I would say mail and messages and any other app that has sensitive information. And in order to access a locked app, you need to authenticate with face ID You touch ID or by entering a passcode. So no one you’ve handed the phone to can get into these apps. Now you can also hide apps, which is pretty neat. If you have an app that you want to hide, you choose that it’s going to go away, it’ll go into a hidden Apps folder where everything is obfuscated, so people can’t see what it is. Now, Apple does say that these apps might show up in a few places, such as settings. So if you installed an app that you don’t want your spouse or partner or whatever to see, and they use your device, they might be able to find it in settings. So you still want to be careful. But I think this is a good idea to allow people to walk and hide apps for their own privacy.
Josh Long 10:37
Yeah, it’s nice to have that option. I don’t know how useful it is, it kind of depends on the particular scenario. First of all, if you never hand your phone to anybody else, or leave it sitting around where someone else could grab it, and potentially log into it, then I don’t know that there’s really much value in adding additional locks to this because they’re gonna have to unlock your phone. And then also, you know, unlock the app and the same exact way that they unlocked your phone. I like the scenario that you presented, where if you occasionally give the phone to a child or something like that, that you generally trust, but you just don’t want them to accidentally do something that they shouldn’t have done. That’s the scenario, I think where this makes the most sense, I still wouldn’t recommend handing your iPhone to somebody to take your picture to a stranger in public or something like that. There’s a lot of things that somebody can do with your iPhone that I don’t think it’s a good idea to just hand out unlocked iPhone to a stranger.
Kirk McElhearn 11:33
Okay, a couple of new features, Contacts, permission improvements. So you’ve probably seen apps that ask to access your Photos library, and you can choose to let the app access all your photos or specific photos, you’re going to have the same option with contacts. So if an app wants to access your contents, you can select which contacts it accesses or allow full access. Now, you might want to allow full access, let’s say if you’re using a third party calendar app, and you need to be able to add people to events to invite them that sort of thing. But you might not want to add all your contacts in a social media app or, you know, other apps at once your contact.
Josh Long 12:10
I love this feature. This is really, really cool. And it’s a long time coming. I’m glad that they’re finally doing this. By the way, sometime we should take a deeper dive into this because I’ve noticed that for example, when I opened the Tik Tok app, and I have never ever given it access to my Contacts, I’ve noticed that it recommends people that I actually do know, and it figures it out, I think mostly based on I’m in their Contacts. And so it’s giving me the recommendations of people who have me in their Contacts, which is a little awkward. So I hope that more people will be a little bit more sensitive about sharing Contacts with other companies.
Kirk McElhearn 12:52
Okay, improved privacy and security settings, I think, improved settings across the board that Apple is trying to get the 87 rubrics in the Settings app better organized, it’s really, there are literally hundreds and hundreds of settings from the top level to the next level to the next level down. they’ve redesigned the privacy and security settings to make it a little bit more obvious about what’s going on. So in our article on the Intel Mac security blog, there’s a screenshot from Apple and you can see location services, three always 28 while using calendars for full access to add only so you get a better idea of what these different settings are doing. But you still have to tap them and find out and it’s still pretty complicated all the settings. And so the final topic in this article is private cloud compute. We talked about this last week. It’s Apple’s way of using Apple Intelligence in a privacy focused way. So data about you does not go to Apple server, you can read some information in the article and I link to a security blog post that Apple published which talks about how private cloud compute works, and I couldn’t understand half of it, it’s way above my head.
Josh Long 14:02
Yeah, the really short and simple version of this is, first of all, it’s going to process your data on device as much as possible first, and then if necessary, if it’s going to require a little bit more computing power, then it can get offloaded to Apple’s private cloud compute. And if it’s something that your local device and also Apple’s private cloud compute cannot handle, but it thinks that ChatGPT might be able to handle it, then it will prompt you to potentially send this to ChatGPT if you so choose to do that at the at the time. So these are three different things. But they’re all part of Apple Intelligence and the on device processing and private cloud compute. I think Apple’s done a lot of things really well here in terms of trying to do everything that they can to give you a very personalized experience while also maintaining your privacy. So I think Apple is doing a great job here.
Kirk McElhearn 14:54
Okay, let’s take a break. When we come back we’re going to talk about which devices can run this year’s operating systems.
Voice Over 15:01
Protecting your online security and privacy has never been more important than it is today. Intego has been proudly protecting Mac users for over 25 years. And our latest Mac protection suite includes the tools you need to stay protected. Intego’s Mac Premium Bundle X9 includes Virus Barrier, the world’s best Mac anti-malware protection, Net Barrier, powerful inbound and outbound firewall security, Personal Backup to keep your important files safe from ransomware. And much more to help protect, secure and organize your Mac. Best of all, it’s compatible with macOS Sonoma, and the latest Apple Silicon Macs. Download the free trial of Mac Premium Bundle X9 from intego.com today. When you’re ready to buy, Intego Mac Podcast listeners can get a special discount by using the link in this episode’s show notes at podcast.intego.com. That’s podcast.intego.com and click on this episode to find the special discount link exclusively for Intego Mac Podcast listeners. Intego. World class protection and utility software for Mac users made by the Mac security experts.
Kirk McElhearn 16:17
So it’s that time of year again. And we talked last week about Apple’s presentation at the Worldwide Developer Conference. And the new operating systems are coming. It’s iOS 18, iPadOS , macOS Sequoia, TV OS 18, WatchOS 11. I’d really like to see them get those numbers in parity, I wonder if when they get to like 20, they’re going to balance them out at some point. Because you’ve got 15 for macOS, they don’t call it macOS 15. But it is and you’ve got 18 for iOS and 11 for watchOS and it feels a little unstable. So the important thing you need to know is that if you have an iPhone that runs iOS 17, it can still run iOS 18. And this is interesting that Apple maintain the same compatibility as last year with the exception that you won’t be able to run Apple Intelligence unless you have an iPhone 15 Pro or iPhone 15 Pro Max, I will link in the show notes to the previous episode where Josh rants about this because he has an iPhone 14 Pro like me, and he wants to be able to run Apple Intelligence on his device.
Josh Long 17:17
Exactly. Yeah. So I am happy though, from the perspective of you know, the security guy in me is very happy that all of the same models are still being supported this year. I almost wonder if Apple just did that as a consolation prize, since like very few people are actually going to get Apple Intelligence on their iPhone. They’re like, well, you can at least upgrade to the newest operating system. And you know, you will still get security updates for it for another year. Okay, thanks, I guess.
Kirk McElhearn 17:45
So for the iPad, it’s a little bit different. A couple of devices drop out the sixth generation iPad, which was compatible with iPadOS 17 will not run iPadOS 18, the iPad Pro 10.5 inch that was the very first iPad Pro, I believe, that won’t be able to run iPadOS 18. And another one that’s dropped is the second generation iPad Pro 12.9 inch. And that’s surprising because all four generations of the 11 inch iPad Pro are supported. There’s something special about the second generation 12.9 inch that means it’s not I don’t understand that.
Josh Long 18:18
I think I understand the logic on this one. So basically, it seems like every iPad model that was introduced in October 2018 or later, those are the models that are supported. So it looks kind of weird if you’re just kind of like looking at them all over the place. And well they support these but not the sizes. It’s October 2018. And later, that’s the easiest way to put it.
Kirk McElhearn 18:39
Okay, so which means still six year old devices, which isn’t that bad.
Josh Long 18:44
Yeah, actually, I think that’s pretty decent. So I’m happy to see that.
Kirk McElhearn 18:47
Okay, so TV OS supports all models that supported TV OS 17. There aren’t that many Apple TV devices that one every two or three years. So it’s not a lot. macOS Sequoia and this is a little bit different because they’ve dropped a couple of models, the MacBook Air 2018 and 2019. Which, as Josh said, last week is a little bit strange. Since macOS Sequoia supports all the other Mac models from 2017 to 2019. That can run Sonoma, right?
Josh Long 19:16
Yeah, Kirk and I spent a lot of time on this on Monday, we look going back and forth. Like is it the minimum RAM? No, the you know, is it the T two chip like you know, because these are pre M1 machines? No, it’s not the T chip, is it? We went back through a whole bunch of things and we couldn’t really see any really obvious reason why these two MacBook Air models are not supported. And yet the Mac mini which is almost identical hardware from the same year 2018 is still supported. So it’s a bit odd. I’m not exactly sure why Apple dropped those two Mac models.
Kirk McElhearn 19:54
Okay, watchOS 11 supports everything from the Apple Watch se Second generation The App Watch Series 6 up to the present. But it does say not all features are available on all devices. And this is something that Apple’s other pages do not say.
Josh Long 20:09
Hmm, interesting. And by the way, that means that they dropped support for the first generation SC, the Series 4 and a Series 5, I have a series five, but I was planning to upgrade to the Series 10, whatever they’re going to call it this year, I don’t know if it’s going to be a letter X, some people are speculating or whether it’s going to be the number numeral 10. Either way, I need a new Apple Watch this year. So I’m not too worried about that one because I need to upgrade anyway.
Kirk McElhearn 20:36
My guess is that the not all features available on all devices involve the new app that I think Apple calls vitals that can record things like your heartbeat, your respiration, your blood, oxygen, et cetera. And that might not be available on all devices, in part because blood oxygen is not available on certain Apple Watches because of this patent suit that was occurring last year.
Josh Long 20:58
Yeah, we talked about that on the previous episode. And I’m very curious to see whether the series 10 is going to include blood oxygen sensing as a as a supported feature, obviously, the hardware will still be there. But it’s just because of this patent dispute that Series Nine purchased after a certain point, no longer offer that feature, which is very weird. But they did i Although I don’t remember them saying anything about it, it was on a slide to show that that was still a feature that’s included, it’ll still check your blood oxygen level, if you have a model that happens to support that currently.
Kirk McElhearn 21:36
Okay, we have another article on the Intego Security blog this week that Josh wrote Apple still leaving critical vulnerabilities unpatched in macOS Sonoma, and this is your crusade? Isn’t it that you keep talking about this, that there are these vulnerabilities in what’s generally open source components that are part of the Unix foundation of macOS. And that some of these are, what two years out of date, which is kind of it’s more dangerous than just a vulnerability that was found last month, this is something that’s been around long enough that they could easily be exploited either individually or in chains with other vulnerabilities.
Josh Long 22:11
Well, that’s exactly right. And that’s one of the reasons why yes, this is kind of one of my crusades right now. So what are we talking about here? Well, we know that there are a handful of outdated components, these open source components to the operating system that basically are available in other Linux and Unix like operating systems. There’s LibreSSL, which as we’ve mentioned, in recent episodes, this is a library that allows for secure communications between your device and some other server on the internet. And there are also other components to that we’ve noticed are out of date. So as when we’re recording this macOS Sonoma 14.5 is the current version of the Mac operating system. And that version of the operating system has all of these really outdated components that we were just referring to. So there’s there’s LibreSSL, there’s curl, which is, again, an app command line app, but also a library that’s used to download files from the internet. There’s zlib, and ng HTTP two. These are just components that we know of. And I’m sure that there are probably others that are out of date, and may be insecure as well. In fact, I know there are other components that are out of date, I just haven’t checked the security patch level on all of these other out of date command line tools. So it’s kind of concerning, especially when you consider that third party applications, for example, maybe using these, it’s possible that maybe operating system components might be using these technologies as well. But it’s really unclear. You know, why is it that Apple is not patching these things and keeping them fully up to date?
Kirk McElhearn 23:58
Well, it’s not just that they’re not keeping up to date. Some of them they patched recently, but they didn’t patch to the most recent version, which is strange.
Josh Long 24:06
Yeah. So this was something that I noticed with the 14.5 update of macOS Sonoma, Apple did upgrade curl, that was one of the outdated components, but they upgraded it from 8.4 to 8.6. And 8.6 still contains at least for known vulnerabilities, like we’re already on version 8.8 At this point, so why did they upgrade it but to an old version that still got a bunch of vulnerabilities in it? Like what was even the point of upgrading it at all? That’s really weird. LibreSSL though, that’s, that’s the one that’s I think, the most scary out of all of these because at this point, it’s now I think, 27 months out of date. I don’t know how that even happens. Why is Apple leaving these so so far out of date, there are at least four known vulnerabilities two of which are rated 9.8 out of 10 critical on the on the CBSs scale that rates how severe vulnerabilities are. So it’s about as severe as it can get just about and apples not patching those things.
Kirk McElhearn 25:11
But this isn’t new, this has been going on for something like 10 years, isn’t it?
Josh Long 25:15
Well, and yeah, that’s, that’s a good point. So I mentioned in the article that I know you’re friends with Rob Griffiths, a guy’s worked on projects together in the past. And I found a blog article that he wrote 10 years ago, called “OS 10’s Aging Collection of Unix Tools”. This was in September 2014. And so he speculated in this article, which again, it does mention that some of these things, even at that time, were not fully patched, and were out of date. And he talks about how maybe some of the reason for some of these things being left behind was Apple’s opposition to a particular open source software license that some of these tools use, maybe that has something to do with it. But if that were such a big deal, you know, now it’s 10 years later, like apples had plenty of time to find some other component to use, or find a relicensed version or something like that, or develop its own tools that basically recreate the same functionality. So there’s not any particular reason why that should still be the thing that’s causing this hang up. So there’s not really clear answer about this. Now, I’ve reached out to Apple multiple times since November, a particular curl vulnerability had been in the news and that’s what kind of kicked off this whole thing of us looking at. Okay, well, what about curl what what version of curl is currently in macOS? Oh, it is out of date. That’s not good. And what are its dependencies? In other words, what other open source components does it rely on? And that’s how we discovered Oh, my gosh, like libre SSL is like super out of date, and these other things are out of date. So I’ve been in communication or attempting to be in communication with Apple since November of last year. And still to this day, every time I reach out to Apple, I get zero response. Like they don’t seem to care. So I guess I’m gonna have to go to Joanna Stern from the Wall Street Journal, and hope that she’ll pick up on this because apparently, that’s the only person that Apple actually listens to these days since they were able to get a three year old issue with Screen Time resolved, just by having Joanna Stern publish a thing about it.
Kirk McElhearn 27:20
Okay, that’s enough for this week. Until next week, Josh, stay secure.
Josh Long 27:24
All right, stay secure.
Voice Over 27:27
Thanks for listening to the Intego Mac podcast, the voice of Mac security, with your hosts, Kirk McElhearn and Josh Long. To get every weekly episode, be sure to follow us on Apple Podcasts, or subscribe in your favorite podcast app. And, if you can, leave a rating, a like, or a review. Links to topics and information mentioned in the podcast can be found in the show notes for the episode at podcast.intego.com. The Intego website is also where to find details on the full line of Intego security and utility software: intego.com.