Nuclear Monster

  • Apple has another serious software flaw, this one isn’t a security vulnerability but it causes some iOS devices (iPhones, iPads) with third-party apps installed that use local notifications to get stuck in a reboot loop on December 2nd. iOS 11.2 is out now and resolves the issue along with adding other features like Apple Pay Cash to send money to your friends and family, and resolves other issues. If you’re already experiencing the reboot loop then Apple has some steps for you to do before updating.

    Other workarounds include setting your time back by a day or disabling notifications for the apps that cause it, but it’s better to just update.

    Some people have an idea that staying on an older version of the software is more stable or more secure, this is always a bad idea in our day of networked devices that are constantly under attack from governments and other bad actors.

    It must really be crappy to be on the teams responsible for these issues this week but it’s difficult to blame anyone specifically for them. With the root exploit it looks like a reasonable mistake that could happen to anyone. We don’t have all the details of the December 2nd bug yet, but both of these issues require an extremely specific set of things to go wrong before they happen. I have no doubt that Apple’s QA processes will change to include testing for these kinds of issues, but there isn’t any perfect software. What they have done well is the delivery mechanism for getting those updates out to users.

    When Android has issues like these they are difficult to resolve because so many different companies have to get involved in order for updates to get released to end-users. I don’t envy anyone trying to resolve that issue at Google.

     

  • Go to the Updates tab in the Mac App Store to apply it now, you won’t even need to reboot. Apple has more details about the update at this link.

    Here’s the post from yesterday with the details of the vulnerability.

    Update:
    If you have any trouble with file sharing after applying this security patch Apple has another fix for that, oops.

  • There’s a vulnerability in the latest version of macOS High Sierra (10.13.1) that may let anyone with physical access to a Mac log in and gain system administrator (root) access. Or, if they already have an account, upgrade their access to the system administrator (root) level.

    You can work around the issue by setting a root password as described in this support document from Apple. They’re working on fixing it.

    The vulnerability works like this:

    1. At any login or a privilege escalation dialog a user types in the username root
    2. The user hits the login button or enter a few times in quick succession
    3. The system enables the root user account and assigns it no password.

    This is incredibly bad for Apple to have a vulnerability this easy to exploit, and it’s ridiculous that it was also apparently publicly available on Apple’s developer forums weeks ago.

  • With most fan-made productions you’re kind of left to go “oh it’s good… for a fan show.” That isn’t the case for Star Trek: Continues’ continuation of Star Trek’s original series. Continues is better than the new reboot movies, it’s also better than many of the shows after Deep Space 9. This show’s cast is excellent, the episodes are entertaining and have just the right amount of morality while still leaning into what made TOS so good.

    Unlike Discovery you won’t have to subscribe to CBS’ crappy streaming service to watch Star Trek: Continues. Above is their playlist that has the full run of the show for free.

  • Bloomberg’s Eric Newcomer:

    Hackers stole the personal data of 57 million customers and drivers from Uber Technologies Inc., a massive breach that the company concealed for more than a year. This week, the ride-hailing firm ousted its chief security officer and one of his deputies for their roles in keeping the hack under wraps, which included a $100,000 payment to the attackers.

    Compromised data from the October 2016 attack included names, email addresses and phone numbers of 50 million Uber riders around the world, the company told Bloomberg on Tuesday. The personal information of about 7 million drivers was accessed as well, including some 600,000 U.S. driver’s license numbers. No Social Security numbers, credit card information, trip location details or other data were taken, Uber said.