Sidebar Sidebar
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

macOS Big Sur 11.4 Addresses Vulnerability That Could Let Attackers Take Secret Screenshots

This is why I stopped trusting Zoom after that whole server applet thing from early last year. Plus, with the added popularity during the pandemic, it would obviously be a larger target for attacks like this.

I always use GoToMeeting with my Clients and try to avoid Zoom at all costs. If I have to use Zoom, I temporarily give it the necessary permissions, then disable them immediately once the call is over.
 
chucker23n1 said:
A security hole in macOS (which only appeared in a version from last fall) is why you stopped trusting Zoom?
Click to expand...
So the part of my quote you used is the part that has nothing to do with the current situation… I said I stopped trusting them because they had a sketchy server applet that THEY installed. They said it was for launching calls, but there was no need for it and it could have been exploited. They very quickly removed it once they were found out.

Edit: I should have said, “this is PART of the reason.” There are many other reasons why I hate Zoom.
 
techfreak23 said:
So the part of my quote you used is the part that has nothing to do with the current situation…
Click to expand...

Literally your first sentence in response to a story about an Apple security hole is “this is why I stopped trusting Zoom”.

techfreak23 said:
I said I stopped trusting them because they had a sketchy server applet that THEY installed. They said it was for launching calls, but there was no need for it and it could have been exploited. They very quickly removed it once they were found out.
Click to expand...

Be that as it may, it has nothing to do with this story.
 
Solomani said:
I wonder if they fixed/improved the slowed-down Safari (specially the stuttering delayed launching of the Bookmarks Menu, among other things) from Big Sur 11.3.1
Click to expand...
The History menu (especially its daily submenus) is still fairly slow to me as of Safari Technology Preview 14.2 / Release 124, in Big Sur 11.4. I think it gets blocked trying to fetch all those favicons.
 
  • Like
Reactions: Solomani
chucker23n1 said:
The History menu (especially its daily submenus) is still fairly slow to me as of Safari Technology Preview 14.2 / Release 124, in Big Sur 11.4. I think it gets blocked trying to fetch all those favicons.
Click to expand...

Ugh. Thanks for the feedback. That type of stuttering slowdown is unacceptable in modern 21st century web browsing.

P.S. --- my Bookmarks (including sub-menus) only contain a few dozen favorites. It's not even in the hundreds, or thousands, like with some users. Once every few months, I cull my Bookmarks/Favorites menus. And I nuke erase my entire browser History once a week or so.
 
chucker23n1 said:
Hmm, I don't think that popup can appear at all without a code signature, so verifying the checksum isn't a concern. You can opt out of Gatekeeper's code signature check manually (using the contextual menu, etc.), but I believe if you do, TCC flat-out refuses to do grant anything.
Click to expand...

The problem is that I don't know it requires a code signature and while I don't get to use OSX very often I would consider myself more technically knowledgeable than most users. If a regular user doesn't know then it doesn't help them. There is no reason the dialog couldn't say.

chucker23n1 said:
For many types of permissions, they do. But yes, this should be unified. It's also grating that, if they need multiple permissions, they need to show multiple dialogs.
Click to expand...

In my limited experience nearly all don't. It may well depend on which apps you encounter of course.

chucker23n1 said:
You can check the list of binaries in Security.
Click to expand...

Assuming you can get there with the dialog still on your screen.

IceStormNG said:
And you expect users to read that? A lot of them click on "OK" or "Accept" before the pop-up animation finished.
Click to expand...

My point is it should be _easy_ to be responsible. A lot of users won't be - that's not really my concern. I would like to be responsible and I find it a struggle. I am sick of things being harder than they should when dealing with other computer systems - I expect more of Apple. the whole idea that I might be working away, suddenly get a pop up from some unrelated process and have to spend 30 minutes reading forums to crowd source opinions on which button I should click is ridiculous.

If we do care about encouraging regular users to be careful we can't get away with presenting quentions they have aboslutely no way of being able to answer.
 
topdrawer said:
Wouldnt they just be able to lie?
Click to expand...

That's a problem for most systems and it still doesn't have great solutions.

In the days of dumb terminals it was trivially easy. You wrote a program that looked like the login prompt for the machine. You left it running on a public terminal and walked away. Some victim types in their username and password, your program logs the details to a file, tells the victim their password was wrong and kills itself and ends your session. The real system then presents the real login screen, the users assumes they made a typo and tries again, presumably successfully. You slowly build up a list of people's passwords for later use.

It is why Windows systems (used to?) require you to press ctrl-alt-del before logging in - as that would kill off any fake password screens. I think even now its permission dialogue boxes hide everything else in a way that a regular app can't emulate. I'm not even a windows user, let alone expert, so I may be wrong on that, but I think that's the case.

There are a number of approaches that can be taken. The windows way of something only the OS can do (withstand ctrl-alt-del or some magic screen mode) is one. another would be to link to an https web page at apple.com that tells you that this app is X and was reviewed by Apple and the developer said Y. There would need to be a way of verifying the app and the page matched of course so a fake dialog couldn't redirect you to the page for a legitimate application - e.g. comparing hashes or something equally annoying. A better solution might be to have a second, always trusted app (i.e. provided by Apple with the OS). It becomes the thing that asks for permissions - i.e. it verifies the app hash and checks the Apple database of approved apps and the permissions they might ask. You know you can trust the Apple app because it is immutable via SIP or something. Then you just need to be sure its the real Apple permissions app you are looking at which is hard if you don't launch it yourself. If its auto launched (which is certainly convenient) the OS needs to help by doing something only it can do (something in the menu bar? A special Dock icon only it can use? A HAL style glowing light in every mac that only it can switch on? make every user learn to use ps?).

Every solution to this problem has its own problem alas.
 
You must log in or register to reply here.
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.
Top Bottom
Back