If HTTPS were used, it would create an endless loop. Online certificate status protocol (OCSP) is used industry-wide and the reason why it works over unencrypted HTTP connections is that it is used to check more than just software certificates, like web connection encryption certificates. It checks to see if a Developer ID certificate used by an app has been revoked due to software being compromised or events like a dev certificate being used to sign malicious software. MacOS’ process of using OCSP is a very important security measure to prevent malicious software from running on Macs. We’ve also learned more technical details about how this all works from Apple that aligns with what independent security researcher Jacopo Jannone shared earlier. *A new preference for users to opt out of these security protections *Strong protections against server failure *A new encrypted protocol for Developer ID certificate revocation checks In addition, over the next year we will introduce several changes to our security checks: To further protect privacy, we have stopped logging IP addresses associated with Developer ID certificate checks, and we will ensure that any collected IP addresses are removed from logs. These security checks have never included the user’s Apple ID or the identity of their device. ![]() Notarization checks if the app contains known malware using an encrypted connection that is resilient to server failures. We do not use data from these checks to learn what individual users are launching or running on their devices. ![]() We have never combined data from these checks with information about Apple users or their devices. Gatekeeper performs online checks to verify if an app contains known malware and whether the developer’s signing certificate is revoked. MacOS has been designed to keep users and their data safe while respecting their privacy. And finally, addressing the overarching concern that Jeffry Paul raised, Apple will release an update to allow users to opt-out of using these macOS security protections. Second, it’s putting in place new protections to prevent server failure issues. First is that Apple will stop logging IP addresses during the process of checking app notarizations. The company also details Apple IDs and device identification have never been involved with these software security checks.īut going forward “over the next year,” Apple will be making some changes to offer more security and flexibility for Macs. Importantly, Apple highlights it doesn’t mix data from the process of checking apps for malware with any information about Apple users and doesn’t use the app notarization process to know what apps users are running. Update 11/15 8:25 pm PT: Apple has updated a Mac security and privacy support document today sharing details about Gatekeeper and the OCSP process. Update: Apple has shared a response to Paul’s concerns in an updated support document that includes what macOS does to protect your privacy and security, and three new steps it will take in the future for greater privacy and flexibility. We learned why that happened at a high-level yesterday, now security researcher Jeffry Paul has shared a deep-dive of his understanding along with his privacy and security concerns for Macs, especially Apple Silicon ones. cpe:2.3:o:apple:macos_server:5.As Apple launched its new macOS operating system to the public yesterday, serious server outages occurred that saw widespread Big Sur download/install failures, iMessage and Apple Pay go down but more than that, even performance issues for users running macOS Catalina and earlier. ![]() Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks. ![]() A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website. The vulnerability exists due to insufficient sanitization of user-supplied data within the Profile Manager component when parsing URLs. The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks. CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
0 Comments
Leave a Reply. |