TeamViewer released TeamViewer 15.12 for macOS, which already supports the new custom architecture known as Apple Silicon. The TeamViewer app is optimized to use the new architecture to the fullest without relying on the Rosetta 2 emulation.
The latest TeamViewer client supports the Apple Silicon structure as well as the new macOS Big Sur, which will be the first operating system on Apple Silicon. The key benefits of using the latest version, which supports Apple Silicon natively, are improved performance and less energy consumption. This is key for apps that need to run as reliably as TeamViewer.
“We establish connections between a huge number of devices based on all major operating systems. Ensuring horizontal connectivity is part of our DNA. Therefore, we are especially proud to run native on the Apple Silicon architecture right from the beginning,” said Christoph Schneider, Director Product Management at TeamViewer.
Apple provides the software Rosetta 2 along with Apple Silicon, which enables other programs to run on the new architecture, even if they are designed for intel processors. Older versions of TeamViewer for Mac will still work but rely on the Rosetta 2 emulation as well. For the best experience, TeamViewer recommends using the latest TeamViewer build 15.12.
Starting January 2021, developers of Chrome extensions will have to certify their data use and privacy practices and provide information about the data collected by the extension(s), “in clear and easy to understand language,” in the extension’s detail page in the Chrome Web Store.
“We are also introducing an additional policy focused on limiting how extension developers use data they collect,” Google added.
Privacy practices get more attention
Two weeks ago Apple announced that developers of apps offered trough its App Store will have to provide privacy-focused labels so that users can review an app’s privacy practices before they download the app.
“You’ll need to provide information about your app’s privacy practices, including the practices of third-party partners whose code you integrate into your app, in App Store Connect,” Apple told app developers. “This information will be required to submit new apps and app updates to the App Store starting December 8, 2020.”
Now Google is forcing developers to provide similar information for Chrome extension and, at the same time, the company is updating its developer policy to limit what extension developers can do with the data they collect.
The change means that extension developers are prohibited from selling user data, using it for personalized advertising or to establish users’ creditworthiness / lending qualification, transferring the data to data brokers or other information resellers. In addition to this, they must ensuring the use or transfer of user data primarily benefits the user and is in accordance with the stated purpose of the extension.
The privacy-related information will be shown in the Privacy practices tab of the extension’s Chrome Web Store listing:
Will this be enough?
If developers fail to provide data privacy disclosures and to certify they comply with the Limited Use policy, starting with January 18, 2021, their listing on the Chrome Web Store will say that the publisher has not provided any information about the collection or usage of user data (but the extension apparently won’t be pulled from the store).
Will this stop users from downloading such an extension? Will most users actually read the information provided in the Privacy practices tab? Unfortunately, the answer to these questions is no. Does Google check whether extension developers were truthful when they “certified” their data use practices? Google doesn’t say, but the answer is likely no, as the task would be massive and the claims difficult (if not impossible) to confirm at that scale.
The problem with Apple’s and Google’s latest app privacy transparency push is that the companies shift the responsibility on app/extension users and developers, and that the sanctions for developers who don’t comply with the store policies are not enough to stop those that are set on abusing them.
Firewalls aren’t just for corporate networks. Large numbers of security- or privacy-conscious people also use them to filter or redirect traffic flowing in and out of their computers. Apple recently made a major change to macOS that frustrates these efforts.
Beginning with macOS Catalina released last year, Apple added a list of 50 Apple-specific apps and processes that were to be exempted from firewalls like Little Snitch and Lulu. The undocumented exemption, which didn’t take effect until firewalls were rewritten to implement changes in Big Sur, first came to light in October. Patrick Wardle, a security researcher at Mac and iOS enterprise developer Jamf, further documented the new behavior over the weekend.
In Big Sur Apple decided to exempt many of its apps from being routed thru the frameworks they now require 3rd-party firewalls to use (LuLu, Little Snitch, etc.) 🧐
Q: Could this be (ab)used by malware to also bypass such firewalls? 🤔
A: Apparently yes, and trivially so 😬😱😭 pic.twitter.com/CCNcnGPFIB
— patrick wardle (@patrickwardle) November 14, 2020
To demonstrate the risks that come with this move, Wardle—a former hacker for the NSA—demonstrated how malware developers could exploit the change to make an end-run around a tried-and-true security measure. He set Lulu and Little Snitch to block all outgoing traffic on a Mac running Big Sur and then ran a small programming script that had exploit code interact with one of the apps that Apple exempted. The python script had no trouble reaching a command and control server he set up to simulate one commonly used by malware to exfiltrate sensitive data.
“It kindly asked (coerced?) one of the trusted Apple items to generate network traffic to an attacker-controlled server and could (ab)use this to exfiltrate files,” Wardle, referring to the script, told me. “Basically, ‘Hey, Mr. Apple Item, can you please send this file to Patrick’s remote server?’ And it would kindly agree. And since the traffic was coming from the trusted item, it would never be routed through the firewall… meaning the firewall is 100% blind.”
Wardle tweeted a portion of a bug report he submitted to Apple during the Big Sur beta phase. It specifically warns that “essential security tools such as firewalls are ineffective” under the change.
Apple has yet to explain the reason behind the change. Firewall misconfigurations are often the source of software not working properly. One possibility is that Apple implemented the move to reduce the number of support requests it receives and make the Mac experience better for people not schooled in setting up effective firewall rules. It’s not unusual for firewalls to exempt their own traffic. Apple may be applying the same rationale.
But the inability to override the settings violates a core tenet that people ought to be able to selectively restrict traffic flowing from their own computers. In the event that a Mac does become infected, the change also gives hackers a way to bypass what for many is an effective mitigation against such attacks.
“The issue I see is that it opens the door for doing exactly what Patrick demoed… malware authors can use this to sneak data around a firewall,” Thomas Reed, director of Mac and mobile offerings at security firm Malwarebytes, said. “Plus, there’s always the potential that someone may have a legitimate need to block some Apple traffic for some reason, but this takes away that ability without using some kind of hardware network filter outside the Mac.”
People who want to know what apps and processes are exempt can open the macOS terminal and enter
sudo defaults read /System/Library/Frameworks/NetworkExtension.framework/Resources/Info.plist ContentFilterExclusionList.
The change came as Apple deprecated macOS kernel extensions, which software developers used to make apps interact directly with the OS. The deprecation included NKEs—short for network kernel extensions—that third-party firewall products used to monitor incoming and outgoing traffic.
In place of NKEs, Apple introduced a new user-mode framework called the Network Extension Framework. To run on Big Sur, all third-party firewalls that used NKEs had to be rewritten to use the new framework.
Apple representatives didn’t respond to emailed questions about this change. This post will be updated if they respond later. In the meantime, people who want to override this new exemption will have to find alternatives. As Reed noted above, one option is to rely on a network filter that runs from outside their Mac. Another possibility is to rely on PF, or Packet Filter firewall built into macOS.
Organizations underwent an unprecedented IT change this year amid a massive shift to remote work, accelerating adoption of cloud technology, Duo Security reveals.
The security implications of this transition will reverberate for years to come, as the hybrid workplace demands the workforce to be secure, connected and productive from anywhere.
The report details how organizations, with a mandate to rapidly transition their entire workforce to remote, turned to remote access technologies such as VPN and RDP, among numerous other efforts.
As a result, authentication activity to these technologies swelled 60%. A complementary survey recently found that 96% of organizations made cybersecurity policy changes during the COVID-19, with more than half implementing MFA.
Cloud adoption also accelerated
Daily authentications to cloud applications surged 40% during the first few months of the pandemic, the bulk of which came from enterprise and mid-sized organizations looking to ensure secure access to various cloud services.
As organizations scrambled to acquire the requisite equipment to support remote work, employees relied on personal or unmanaged devices in the interim. Consequently, blocked access attempts due to out-of-date devices skyrocketed 90% in March. That figure fell precipitously in April, indicating healthier devices and decreased risk of breach due to malware.
“As the pandemic began, the priority for many organizations was keeping the lights on and accepting risk in order to accomplish this end,” said Dave Lewis, Global Advisory CISO, Duo Security at Cisco. “Attention has now turned towards lessening risk by implementing a more mature and modern security approach that accounts for a traditional corporate perimeter that has been completely upended.”
Additional report findings
So long, SMS – The prevalence of SIM-swapping attacks has driven organizations to strengthen their authentication schemes. Year-over-year, the percentage of organizations that enforce a policy to disallow SMS authentication nearly doubled from 8.7% to 16.1%.
Biometrics booming – Biometrics are nearly ubiquitous across enterprise users, paving the way for a passwordless future. Eighty percent of mobile devices used for work have biometrics configured, up 12% the past five years.
Cloud apps on pace to pass on-premises apps – Use of cloud apps are on pace to surpass use of on-premises apps by next year, accelerated by the shift to remote work. Cloud applications make up 13.2% of total authentications, a 5.4% increase year-over-year, while on-premises applications encompass 18.5% of total authentications, down 1.5% since last year.
Apple devices 3.5 times more likely to update quickly vs. Android – Ecosystem differences have security consequences. On June 1, Apple iOS and Android both issued software updates to patch critical vulnerabilities in their respective operating systems.
iOS devices were 3.5 times more likely to be updated within 30 days of a security update or patch, compared to Android.
Windows 7 lingers in healthcare despite security risks – More than 30% of Windows devices in healthcare organizations still run Windows 7, despite end-of-life status, compared with 10% of organizations across Duo’s customer base.
Healthcare providers are often unable to update deprecated operating systems due to compliance requirements and restrictive terms and conditions of third-party software vendors.
Windows devices, Chrome browser dominate business IT – Windows continues its dominance in the enterprise, accounting for 59% of devices used to access protected applications, followed by macOS at 23%. Overall, mobile devices account for 15% of corporate access (iOS: 11.4%, Android: 3.7%).
On the browser side, Chrome is king with 44% of total browser authentications, resulting in stronger security hygiene overall for organizations.
UK and EU trail US in securing cloud – United Kingdom and European Union-based organizations trail US-based enterprises in user authentications to cloud applications, signaling less cloud use overall or a larger share of applications not protected by MFA.
A Hamilton Beach Smart Coffee Maker that could eavesdrop, an Amazon Halo fitness tracker that measures the tone of your voice, and a robot-building kit that puts your kid’s privacy at risk are among the 37 creepiest holiday gifts of 2020 according to Mozilla.
Researchers reviewed 136 popular connected gifts available for purchase in the United States across seven categories: toys & games; smart home; entertainment; wearables; health & exercise; pets; and home office.
They combed through privacy policies, pored over product and app features, and quizzed companies in order to answer questions like: Can this product’s camera, microphone, or GPS snoop on me? What data does the device collect and where does it go? What is the company’s known track record for protecting users’ data?”
The guide includes a “Best Of” category, which singles out products that get privacy and security right, while a “Privacy Not Included” warning icon alerts consumers when a product has especially problematic privacy practices.
Meeting minimum security standards
It also identifies which products meet Mozilla’s Minimum Security Standards, such as using encryption and requiring users to change the default password if a password is needed. For the first time, Mozilla also notes which products use AI to make decisions about consumers.
“Holiday gifts are getting ‘smarter’ each year: from watches that collect more and more health data, to drones with GPS, to home security cameras connected to the cloud,” said Ashley Boyd, Mozilla’s Vice President of Advocacy.
“Unfortunately, these gifts are often getting creepier, too. Poor security standards and privacy practices can mean that your connected gift isn’t bringing joy, but rather prying eyes and security vulnerabilities.”
Boyd added: “Privacy Not Included helps consumers prioritize privacy and security when shopping. The guide also keeps companies on their toes, calling out privacy flaws and applauding privacy features.”
What are the products?
37 products were branded with a “Privacy Not Included” warning label including: Amazon Halo, Dyson Pure Cool, Facebook Portal, Hamilton Beach Smart Coffee Maker, Livescribe Smartpens, NordicTrack T Series Treadmills, Oculus Quest 2 VR Sets, Schlage Encode Smart WiFi Deadbolt, Whistle Go Dog Trackers, Ubtech Jimu Robot Kits, Roku Streaming Sticks, and The Mirror
22 products were awarded “Best Of” for exceptional privacy and security practices, including: Apple Homepod, Apple iPad, Apple TV 4K, Apple Watch 6, Apple Air Pods & Air Pods Pro, Arlo Security Cams, Arlo Video Doorbell, Eufy Security Cams, Eufy Video Doorbell, iRobot Roomba i Series, iRobot Roomba s Series, Garmin Forerunner Series, Garmin Venu watch, Garmin Index Smart Scale, Garmin Vivo Series, Jabra Elite Active 85T, Kano Coding Kits, Withings Thermo, Withings Body Smart Scales, Petcube Play 2 & Bites 2, Sonos SL One, and Findster Duo+ GPS pet tracker
A handful of leading brands, like Apple, Garmin, and Eufy, are excelling at improving privacy across their product lines, while other top companies, like Amazon, Huawei, and Roku, are consistently failing to protect consumers.
Apple products don’t share or sell your data. They take special care to make sure your Siri requests aren’t associated with you. And after facing backlash in 2019, Apple doesn’t automatically opt-in users to human voice review.
Eufy Security Cameras are especially trustworthy. Footage is stored locally rather than in the cloud, and is protected by military-grade encryption. Further, Eufy doesn’t sell their customer lists.
Roku is a privacy nightmare. The company tracks just about everything you do — and then shares it widely. Roku shares your personal data with advertisers and other third parties, it targets you with ads, it builds profiles about you, and more.
Amazon’s Halo Fitness Tracker is especially troubling. It’s packed full of sensors and microphones. It uses machine learning to measure the tone, energy, and positivity of your voice. And it asks you to take pictures of yourself in your underwear so it can track your body fat.
Tech companies want a monopoly on your smart products
Big companies like Amazon and Google are offering a family of networked devices, pushing consumers to buy into one company. For instance: Nest users now have to migrate over to a Google-only platform. Google is acquiring Fitbit.
And Amazon recently announced it’s moving into the wearable technology space. These companies realize that the more data they have on people’s lives, the more lucrative their products can be.
Products are getting creepier, even as they get more secure
Many companies — especially big ones like Google and Facebook — are improving security. But that doesn’t mean those products aren’t invasive. Smart speakers, watches, and other devices are reaching farther into our lives, monitoring our homes, bodies, and travel. And often, consumers don’t have insight or control over the data that’s collected.
Connected toys and pet products are particularly creepy. Amazon’s KidKraft Kitchen & Market is made for kids as young as three — but there’s no transparency into what data it collects. Meanwhile, devices like the Dogness iPet Robot put a mobile, internet-connected camera and microphone in your house — without using encryption.
The pandemic is reshaping some data sharing for the better. Products like the Oura Ring and Kinsa smart thermometer can share anonymized data with researchers and scientists to help track public health and coronavirus outbreaks. This is a positive development — data sharing for the public interest, not just profit.
November Patch Tuesday and the end-of-year holidays are rapidly approaching. Microsoft gave us a late release or maybe an early gift depending upon how you look at the new version of Windows 10. The Patch Tuesday updates appear to be light, so things are looking much better as we enter the final stretch for 2020.
The big announcement this month is the release of Windows 10 version 20H2 on October 20. Yes, you read that correctly – not the 2020 Fall Release or Windows 10 version 2009, but Windows 10 version 20H2. Name changes once again!
This update follows the feature enablement model that began last year with Windows 10 versions 1903 and 1909. The new features in Windows 10 version 20H2 are also included in the October cumulative update for Windows 10 version 2004, although they are dormant. They can be turned on via a special enablement package.
A big change regarding servicing stack updates (SSU) and the latest cumulative updates (LCU) has finally been made – LCUs and SSUs have been combined into a single cumulative monthly update! Moving forward we don’t have to worry about managing these separately. Microsoft recommends applying the latest SSU for Windows 10, version 2004 and then you can forget about SSUs in the future because they are automatically applied as needed in the cumulative updates.
This release also includes a few security updates for Microsoft Defender Advanced Threat Protection (ATP), Microsoft Defender Application Guard for Office, and biometric enhancements for Windows Hello.
Each new release comes with its share of reported issues, so please review before you update to this latest version. From some of the forums I monitor, I’ve noted a lot of conversations around device drivers and device support in general. I suspect this is not an issue unique to Windows 10 version 20H2, but is part of a carryover from Microsoft now enforcing properly signed drivers, which began last month in the cumulative update. There are a lot of good reasons to update your OS, but always ‘look before you leap’ to ensure a smooth transition.
November 2020 Patch Tuesday forecast
- Expect Microsoft to get back on track this month. There was a major dip in common vulnerabilities and exposures (CVEs) addressed last month, and for the first time I can remember there were no updates for Internet Explorer or Edge. Anticipate updates for the standard operating systems, browsers, Office, and extended support updates for Windows 7 and Server 2008. Servicing stack updates to include ESUs are expected.
- Security updates were released this week for Adobe Acrobat and Reader, so I don’t expect anything next week.
- Apple released their latest security updates for iTunes and iCloud in late September. The next updates will probably show up late this month or early December.
- Google Chrome 86 was updated this week with a few security updates; there is a slight chance another release may come out on Patch Tuesday but don’t count on it.
- Mozilla Firefox and Thunderbird were updated in mid-October. We should see some additional security updates next week.
It looks like an average Patch Tuesday for November. If you have some spare time, check out Microsoft’s latest and greatest in Windows 10 version 20H2.
Hacking Apple for Profit
Five researchers hacked Apple Computer’s networks — not their products — and found fifty-five vulnerabilities. So far, they have received $289K.
One of the worst of all the bugs they found would have allowed criminals to create a worm that would automatically steal all the photos, videos, and documents from someone’s iCloud account and then do the same to the victim’s contacts.
Lots of details in this blog post by one of the hackers.
Sidebar photo of Bruce Schneier by Joe MacInnis.
A recently released tool is letting anyone exploit an unusual Mac vulnerability to bypass Apple’s trusted T2 security chip and gain deep system access. The flaw is one researchers have also been using for more than a year to jailbreak older models of iPhones. But the fact that the T2 chip is vulnerable in the same way creates a new host of potential threats. Worst of all, while Apple may be able to slow down potential hackers, the flaw is ultimately unfixable in every Mac that has a T2 inside.
In general, the jailbreak community hasn’t paid as much attention to macOS and OS X as it has iOS, because they don’t have the same restrictions and walled gardens that are built into Apple’s mobile ecosystem. But the T2 chip, launched in 2017, created some limitations and mysteries. Apple added the chip as a trusted mechanism for securing high-value features like encrypted data storage, Touch ID, and Activation Lock, which works with Apple’s “Find My” services. But the T2 also contains a vulnerability, known as Checkm8, that jailbreakers have already been exploiting in Apple’s A5 through A11 (2011 to 2017) mobile chipsets. Now Checkra1n, the same group that developed the tool for iOS, has released support for T2 bypass.
On Macs, the jailbreak allows researchers to probe the T2 chip and explore its security features. It can even be used to run Linux on the T2 or play Doom on a MacBook Pro’s Touch Bar. The jailbreak could also be weaponized by malicious hackers, though, to disable macOS security features like System Integrity Protection and Secure Boot and install malware. Combined with another T2 vulnerability that was publicly disclosed in July by the Chinese security research and jailbreaking group Pangu Team, the jailbreak could also potentially be used to obtain FileVault encryption keys and to decrypt user data. The vulnerability is unpatchable, because the flaw is in low-level, unchangeable code for hardware.
“The T2 is meant to be this little secure black box in Macs—a computer inside your computer, handling things like Lost Mode enforcement, integrity checking, and other privileged duties,” says Will Strafach, a longtime iOS researcher and creator of the Guardian Firewall app for iOS. “So the significance is that this chip was supposed to be harder to compromise—but now it’s been done.”
Apple did not respond to WIRED’s requests for comment.
There are a few important limitations of the jailbreak, though, that keep this from being a full-blown security crisis. The first is that an attacker would need physical access to target devices in order to exploit them. The tool can only run off of another device over USB. This means hackers can’t remotely mass-infect every Mac that has a T2 chip. An attacker could jailbreak a target device and then disappear, but the compromise isn’t “persistent”; it ends when the T2 chip is rebooted. The Checkra1n researchers do caution, though, that the T2 chip itself doesn’t reboot every time the device does. To be certain that a Mac hasn’t been compromised by the jailbreak, the T2 chip must be fully restored to Apple’s defaults. Finally, the jailbreak doesn’t give an attacker instant access to a target’s encrypted data. It could allow hackers to install keyloggers or other malware that could later grab the decryption keys, or it could make it easier to brute-force them, but Checkra1n isn’t a silver bullet.
“There are plenty of other vulnerabilities, including remote ones that undoubtedly have more impact on security,” a Checkra1n team member tweeted on Tuesday.
In a discussion with WIRED, the Checkra1n researchers added that they see the jailbreak as a necessary tool for transparency about T2. “It’s a unique chip, and it has differences from iPhones, so having open access is useful to understand it at a deeper level,” a group member said. “It was a complete black box before, and we are now able to look into it and figure out how it works for security research.”
The exploit also comes as little surprise; it’s been apparent since the original Checkm8 discovery last year that the T2 chip was also vulnerable in the same way. And researchers point out that while the T2 chip debuted in 2017 in top-tier iMacs, it only recently rolled out across the entire Mac line. Older Macs with a T1 chip are unaffected. Still, the finding is significant because it undermines a crucial security feature of newer Macs.
Jailbreaking has long been a gray area because of this tension. It gives users freedom to install and modify whatever they want on their devices, but it is achieved by exploiting vulnerabilities in Apple’s code. Hobbyists and researchers use jailbreaks in constructive ways, including to conduct more security testing and potentially help Apple fix more bugs, but there’s always the chance that attackers could weaponize jailbreaks for harm.
“I had already assumed that since T2 was vulnerable to Checkm8, it was toast,” says Patrick Wardle, an Apple security researcher at the enterprise management firm Jamf and a former NSA researcher. “There really isn’t much that Apple can do to fix it. It’s not the end of the world, but this chip, which was supposed to provide all this extra security, is now pretty much moot.”
Wardle points out that for companies that manage their devices using Apple’s Activation Lock and Find My features, the jailbreak could be particularly problematic both in terms of possible device theft and other insider threats. And he notes that the jailbreak tool could be a valuable jumping off point for attackers looking to take a shortcut to developing potentially powerful attacks. “You likely could weaponize this and create a lovely in-memory implant that, by design, disappears on reboot,” he says. This means that the malware would run without leaving a trace on the hard drive and would be difficult for victims to track down.
The situation raises much deeper issues, though, with the basic approach of using a special, trusted chip to secure other processes. Beyond Apple’s T2, numerous other tech vendors have tried this approach and had their secure enclaves defeated, including Intel, Cisco, and Samsung.
“Building in hardware ‘security’ mechanisms is just always a double-edged sword,” says Ang Cui, founder of the embedded device security firm Red Balloon. “If an attacker is able to own the secure hardware mechanism, the defender usually loses more than they would have if they had built no hardware. It’s a smart design in theory, but in the real world it usually backfires.”
In this case, you’d likely have to be a very high-value target to register any real alarm. But hardware-based security measures do create a single point of failure that the most important data and systems rely on. Even if the Checkra1n jailbreak doesn’t provide unlimited access for attackers, it gives them more than anyone would want.
This story originally appeared on wired.com.
It’s October and that means Halloween will be here at the end of the month. It won’t be much fun if we only get to ‘dress up’ and look at each other via video conference. But then, we’ve had a lot of ‘tricks’ thrown at us this last month – Zerologon, explosion of ransomware, COVID phishing attacks, and more. Will we get more tricks next week or are we in for a treat on Patch Tuesday?
The Netlogon Elevation of Privilege Vulnerability, CVE-2020-1472, also referred to as the Zerologon vulnerability, dominated the news this past month. The US Department of Homeland Security issued Emergency Directive 20-04 on September 18, requiring all government agencies with a domain controller to update their servers within three days.
Microsoft has also issued updated guidance since the August Patch Tuesday release to clarify the steps needed to secure systems with this vulnerability. Per the outlined process in the article, the first step is to apply the August 11 updates which will begin enforcement of Secure RPC (Remote Procedure Call), but still allow non-compliant devices to connect and log the connections. Full enforcement will begin with the deployment of the February 9, 2021 updates.
All systems in your environment should be updated and monitored between now and February to verify they are configured and using the secure channels properly. Once the February updates are deployed, only vulnerable systems explicitly listed in group policy will be allowed to connect to the domain controller.
It’s not unexpected that the education community has been hit the hardest by cyberattacks in the past several months. Students of all ages are now spending many hours online in daily remote learning sessions and are constantly exposed to a full host of attacks. The Microsoft Security Intelligence center is showing that 62% of malware encounters are affecting this industry.
As funny as it may sound, this is partially an ‘education’ issue. Most students haven’t received any form of security training and need to be aware of phishing attacks and what to look for, the importance of strong passwords, the need to keep personal or ‘sensitive’ information private, and similar practices we in the industry often take for granted.
With the sudden increase of connections from personal computers, many of which are running out-of-date software, it is more important than ever to maintain solid security practices for the infrastructure and support systems. Teachers should be running authorized software and IT must be prepared to apply the latest security updates, especially for programs like Zoom, WebEx, GoToMeeting, etc., which are critical for remote learning. We’ll weather this storm and the good news is that we’ll have a more security-aware group entering the workforce in the upcoming years.
October 2020 Patch Tuesday forecast
- Microsoft continues to address record numbers of vulnerabilities each month. Expect that to continue in October. Microsoft Exchange Server received a major update last month, so I don’t expect another one. But we will see the standard updates for operating systems and Office, and extended support updates for Windows 7 and Server 2008.
- Select service stack updates (SSUs) should appear as they usually do.
- The last security updates for Adobe Acrobat and Reader were in August. There are no pre-announcements on their web site, but we may see an update.
- Apple will most likely release major security updates for iTunes and iCloud later in October if they maintain their quarterly schedule.
- Google Chrome 86 was released this Tuesday with significant security updates. Don’t expect any updates around Patch Tuesday.
- Security updates were released on September 22 for Mozilla Firefox and Thunderbird. We could see some additional updates next week.
In summary, expect the standard set of Microsoft releases, maybe some updates from Adobe, and probably two from Mozilla. Based on this limited list of updates, It sounds like we should be in for a treat!
About Bruce Schneier
I am a public-interest technologist, working at the intersection of security, technology, and people. I’ve been writing about security issues on my blog since 2004, and in my monthly newsletter since 1998. I’m a fellow and lecturer at Harvard’s Kennedy School and a board member of EFF. This personal website expresses the opinions of neither of those organizations.
Apple has released iOS 14, with a bucketload of new and improved functional features and a handful of privacy and security ones.
New privacy and security features in iOS 14
The new iOS will tell you when an app is using your camera or microphone
It will show an indicator dot (green for when camera or camera+microphone is in use, orange for microphone) in the top right part of the device’s screen.
The downside is that it’s fairly small and you might miss it if other things are happening on the screen. The upside is that you can check which app most recently used your camera or microphone via the Control Center.
Of course, you can deny access to your camera and microphone to any app through the Privacy settings.
You can share with apps your approximate location instead of the precise one
Go to Settings > Privacy and Location Services > Location Services, and you can configure for each app whether you want it to access your device’s location “only while the app is in use”, “always”, “never”, or you want the app to ask you for permission each time you run it (then you get the option to give it permission to access your location “Only once”).
When you allow location access for an app, you’ll get the option to provide your precise location or leave it to the app to determine your approximate location (the latter is good enough for apps that show local news or weather).
You can choose to share with apps just some photos
Under Privacy > Photos you can see which apps have requested access to your photos and you can choose to restrict each app’s access just to selected photos or photo albums (or none).
You can limit tracking
Each time you connect to a Wi-Fi network your phone will show a different MAC address. This is to prevent ISPs and advertisers to track your movements (i.e., see when and where you connect to a network), and this option is on by default.
In Settings > Privacy > Tracking, you can choose to not allow apps to send you a request to track you. If you do that, “any app that attempts to ask you for your permission will be blocked from asking and automatically informed that you have requested not to be tracked. In addition, all apps, other than those that you have previously given permission to track, will be blocked from accessing the device’s Advertising Identifier.”
If you allow tracking, tracking permissions can also be controlled on a per-app basis.
It has to be pointed out, though, that these app tracking options will start working as intended in early 2021, when these privacy controls become mandatory for developers.
“We want to give developers the time they need to make the necessary changes, and as a result, the requirement to use this tracking permission will go into effect early next year,” Apple explained.
Facebook complained earlier this year that these new privacy requirements would have a significant negative impact on its advertising business.
You will be able to see a summary of an app’s privacy practices before you download it from the App Store
You still can’t see these because app developers have yet to roll them out, but when they are ready, you’ll be able to peruse these summaries through a “App Privacy” button on the listing in the store, and they will look something like this:
You’ll be able to see which tracking cookies have been blocked
The Safari mobile browser has been updated to show a Privacy Report, which shows all the cross-site tracking cookies it has blocked in the last 30 days if you turned on Prevent Cross-Site Tracking in Safari’s Privacy and Security Settings.
The report is accessible from the AA menu in the browser’s address bar.
You’ll be notified if a password you stored in the iCloud Keychain has been spotted in a known data breach
To turn this option on, go to Settings > Passwords > Security Recommendations and toggle on Detect Compromised Passwords. For the secure password monitoring to work, iCloud Keychain has to be enabled.
In iOS 14, Apple has also fixed a number of security vulnerabilities, including:
- A vulnerability in an integrated drive electronics (IDE) component that could allow a remote authenticated attacker to execute arbitrary code on a paired device during a debug session over the network (CVE-2020-9992), and a
- A logic issue affecting the sandbox that may allow a malicious application to access restricted files (CVE-2020-9968)
Apple has released Safari 14, which features many functional improvements, a Privacy Report that shows all the trackers the browser has neutralized, and and does not support Adobe Flash anymore.
Safari 14 sports a redesign of the tab bar, which now displays site favicons by default and previews of the contents of some pages (when the user hovers over a tab), and a customizable start page.
It also features improved extension support, as Apple has already put things in motion to allow app developers to easily convert their existing extension into a Safari web extension or build a new one, and support for.
But on to the Safari 14 privacy and security additions:
The Privacy Report shows the cross-site trackers that Intelligent Tracking Prevention (ITP) prevented from accessing identifying information, and how many and which trackers the visited websites sport. It also shows which entity is behind each tracker.
ITP uses on-device machine learning to identify and block the trackers, and known trackers are independently verified by DuchDuckGo. Safari blocks trackers only if the “Prevent cross-site tracking” option is turned on, and the Privacy Report can only be compiled if users have turned ITP on.
The report is accessible through the “Safari” tab, via the start page, and via the shield-style icon to the left of the browser’s address bar.
Secure password monitoring
Safari 14 will notify users when one of their saved passwords in iCloud Keychain has shown up in a data breach (iCloud Keychain has to be enabled, of course).
It will also allow them to immediately change the password by pointing them to the correct page for each website (if the admin has specified the page’s URL in the web server’s .well-known directory).
Removed support for Adobe Flash for improved security
Adobe Flash has been a thorn in security-minded users’ and cybersecurity professionals’ side for many years, as its vulnerabilities were often exploited by attackers.
Three years ago, browser makers have announced that they would drop Flash support by the end of 2020, and now the time has come for the move. Adobe Flash will reach end-of-life on December 31, 2020.
Apple has fixed four WebKit vulnerabilities in Safari 14. All can be triggered by the browser processing maliciously crafted web content and three could lead to arbitrary code execution.
More information about and a PoC for the one discovered by Marcin “Icewall” Noga of Cisco Talos can be found here.
Shlayer adware creators have found a way to get their malicious payload notarized by Apple, allowing it to bypass anti-malware checks performed by macOS before installing any software.
What is Apple Notarization?
Apple uses a number of technologies to prevent malware from being offered for download on the App Store and from being run on Apple-developed devices:
- App Review: Apps are reviewed by Apple before being published on the App Store, and have to comply with specific guidelines to get accepted
- Code Signing: Developers sign their apps with a developer certificate issued by Apple to assure users that it is from a known source and the app hasn’t been modified since it was last signed. The macOS Gatekeeper verifies the developer certificate and checks the known-malware list when the application is first opened, and blocks the app from running if its known malware or if it doesn’t recognize the developer (certificate)
- Notarization: An automated check that scans software for malicious content and checks for code-signing issues. If the package passes the check, it gets a ticket that proves notarization has been successful and the ticket “tells” Gatekeeper that Apple notarized the software, i.e., that is effectively safe to run it.
Apple Notarization is a relatively new security mechanism that, in theory, should detect malicious software and prevent it from being installed on a macOS system. But, as it turns out, it’s not foolproof.
Notarized macOS malware
The first known instance of notarized macOS malware was discovered last week, by a college student who noticed that people who want to download Homebrew (downloadable from brew.sh) and make the mistake of entering the wrong URL (homebrew.sh) are getting served with a warning saying their Adobe Flash Player is out of date and offering an update for download.
Security researcher Patrick Wardle analyzed the served package and confirmed that it is not, in fact, an update, but a notarized version of the macOS Shlayer adware, which doesn’t get detected as malicious by Gatekeeper.
This particular variant of this common adware would be detected by various third-party antivirus applications, but there are still many macOS users that don’t run one as they believe that Macs can’t get malware.
How is this possible?
“We’re still not exactly sure what the Shlayer folks did to get their malware notarized, but increasingly, it’s looking like they did nothing at all,” said Apple security expert Thomas Reed, who compared the code of the notarized and that of an older (not notarized) Shlayer sample and spotted minor changes.
“It’s entirely possible that something in this code, somewhere, was modified to break any detection that Apple might have had for this adware. Without knowing how (if?) Apple was detecting the older sample, it would be quite difficult to identify whether any changes were made to the notarized sample that would break that detection,” he pointed out.
“This leaves us facing two distinct possibilities, neither of which is particularly appealing. Either Apple was able to detect Shlayer as part of the notarization process, but breaking that detection was trivial, or Apple had nothing in the notarization process to detect Shlayer, which has been around for a couple years at this point.”
Wardle notified Apple about the notarized Shlayer adware on August 28 and they revoked the used notarization certificates immediately. Two days later, though, the adware delivery campaign was still going strong: it was serving another Shlayer sample that had been notarized with another Apple Developer ID.
“The attackers’ ability to agilely continue their attack (with other notarized payloads) is noteworthy. Clearly in the never ending cat & mouse game between the attackers and Apple, the attackers are currently (still) winning,” Wardle commented.
Reed pointed out that notarizing malicious software is just one of the ways adware distributors are trying to bypass macOS and user defenses.
“We’re seeing quite a few cases where malware authors have stopped signing their software, and have instead been shipping it with instructions to the user on how to run it,” he explained.
“The malware comes on a disk image (.dmg) file with a custom background. That background image shows instructions for opening the software, which is neither signed nor notarized.”
CoSoSys announced its commitment to offer zero-day support and the launch of a kextless agent for customers who manage Apple devices in the organization. The company’s top-rated product, Endpoint Protector, is one of the most trusted and widely used macOS and multi-OS DLP solutions on the market.
“For us, it was important from the beginning to provide a DLP solution that focuses on the needs of customers with large macOS deployments,” said Roman Foeckl, CEO and founder of CoSoSys.
“Now as Macs are more popular in large enterprises, we continue our mission of helping companies in ensuring data security and staying compliant with Apple’s new security requirements.”
With Endpoint Protector, companies can put an end to data leaks and data theft, minimize the risk of insider threats, and ensure compliance with data protection regulations. A truly cross-platform solution from the beginning, Endpoint Protector’s easy-to-use tool helps organizations protect their data regardless of the operating system.
The upcoming launch of Endpoint Protector Enterprise brings major upgrades and multiple benefits such as user remediation and management console to macOS, Windows, and Linux customers to even better support the needs of large, sophisticated deployments.
As Mac use continues to increase in the enterprise, ensuring the security and compliance of regulated data is vital. Endpoint Protector’s highlighted support for macOS users include:
- Kextless agent: The latest version of Endpoint Protector comes with a kextless agent built on Apple’s new Endpoint Security Framework, making Endpoint Protector a pioneer DLP vendor to release an agent that doesn’t use a KEXT (kernel extension). With the release of macOS 10.15, Apple started to deprecate kernel extensions and encouraged a kextless approach.
- Zero-day support: Endpoint Protector continues its history of offering zero-day support for Apple’s new operating systems.
- Legacy system extension: In 2019, Apple informed developers that macOS Catalina is the last macOS that fully supports legacy system extensions. Endpoint Protector’s legacy client will continue to work on older macOS versions (from macOS 10.8 to macOS 10.15).
- Notarized kernel extensions (KEXTs): The legacy macOS client version of Endpoint Protector is notarized under the Apple notarization requirement, which gives users more confidence that the software they download and run has been checked for known security issues.
If you haven’t yet opted for automatic Apple security updates, it’s time to update your iDevices and software again.
The lightweight Apple security updates
The security update for Xcode – an integrated development environment for macOS containing a suite of software development tools developed by Apple for developing software for macOS, iOS, iPadOS, watchOS, and tvOS – offers no details about fixed security issues.
- Three buffer overflow flaws in libxml2, a software library for parsing XML documents
- Ten security vulnerabilities in the WebKit browser engine, six of which could lead to arbitrary code execution if maliciously crafted web content is processed.
The tvOS update contains all those fixes, plus patches for a few kernel flaws, several vulnerabilities that could allow a malicious application to execute arbitrary code with system privileges, and one vulnerability stemming from poor handling of icon<</strong> caches that could be exploited by a malicious application to identify what other applications a user has installed.
The watchOS update also fixes that last flaw, as well as some of the three libxml2 vulnerabilities, several of the code execution flaws affecting WebKit, the kernel security holes, and a logic issue affecting Messages, which could allow a person with physical access to a locked device to respond to messages even when replies are disabled.
The heftier updates
iOS 13.4 and iPadOS 13.4 bring, among other things, fixes for:
- The aforementioned WebKit, libxml2, kernel and Icon flaws
- CVE-2020-9770, a logic issue that could allow an attacker in a privileged network position to intercept Bluetooth traffic
- The aforementioned flaw affecting the privacy of Messages on a locked device
- A flaw in Mail that could allow a local user to view deleted content in the app switcher
- Two Safari flaws, one of which could make users grant website permissions to a site they didn’t intend to
- A WebApp flaw that could allow a maliciously crafted page to interfere with other web contexts
Safari 13.1 delivers all the WebKit fixes and plugs a hole that could allow a malicious iframe to use another website’s download settings. (With Safari 13.1, Apple also started blocking third-party cookies.)
The macOS security updates (macOS Catalina 10.15.4, Security Update 2020-002 Mojave, Security Update 2020-002 High Sierra) fix a wider variety of flaws, including:
- Those already mentioned in libxml2, kernel, icons
- Bluetooth vulnerabilities that could allow a malicious application to read restricted memory or execute arbitrary code with kernel privileges
- CVE-2020-9776, a flaw that could allow a malicious application to access a user’s call history
- Several flaws that could allow an application to gain elevated privileges
- A sudo issue that could allow an attacker to run commands as a non-existent user
- CVE-2020-3906, a vulnerability that could allow a maliciously crafted application to bypass code signing enforcement.
Mac threats growing faster than their Windows counterparts for the first time ever, with nearly twice as many Mac threats detected per endpoint as Windows threats, according to Malwarebytes.
In addition, cybercriminals continue to focus on business targets with a diversification of threat types and attack strategies in 2019.
Emotet and TrickBot were back in 2019
In addition, a wave of new hack tools and registry key disablers made a splashy debut, reflecting greater sophistication used by today’s business-focused attackers.
Threat actors are becoming more creative
Adware was particularly problematic for consumers and businesses on Windows, Mac and Android devices, deploying aggressive techniques for serving up advertisements, hijacking browsers, redirecting web traffic and proving extremely difficult to uninstall.
“A rise in pre-installed malware, adware and multi-vector attacks signals that threat actors are becoming more creative and increasingly persistent with their campaigns,” said Marcin Kleczynski, CEO of Malwarebytes.
“It is imperative that, as an industry, we continue to raise the bar in defending against these sophisticated attacks, actively protecting both users and businesses by flagging and blocking all programs that may violate their privacy, infect their devices, or even turn the infrastructure they depend on against them.”
Mac threats are growing, other threats in the spotlight
Mac threats significantly ramp up – An average of 11 threats per Mac endpoint were detected in 2019—nearly double the average of 5.8 threats per endpoint on Windows. Overall Mac threats increased by more than 400 percent, year-over-year.
Business detections continued to rise – In 2019, global business threats rose 13 percent to about 9.6 million detections.
HackTools triumph – With consumer detections of HackTools up 42 percent, this is a threat to watch in 2020, bolstered by families such as MimiKatz, which also targeted businesses.
Dynamic duo does damage – TrickBot and Emotet once again reigned globally, targeting businesses heavily in the last year. Emotet was second-most detected threat against businesses in 2019.
Meanwhile, TrickBot saw enormous growth, with business detections on-the-rise by 52 percent, year-over-year.
Ransomware is rampant – Ransomware targeted cities, schools and healthcare organizations with increased vigor in 2019. Newer ransomware families saw the highest growth, with Ryuk business detections up by 543 percent, year-over-year, and Sodinokibi increasing by 820 percent since its introduction in May 2019.
Beware of adware – Adware increased 13 percent, year-over-year, for consumers and 463 percent for businesses. Seven of the 10 top consumer threat families were adware variants, as well as five of the top 10 business threat families.
Pre-installed malware became pervasive – Top-rated mobile threat in 2019 was a team of pre-installed potentially unwanted program (PUP) variants that combined for 321,103 detections.
These auto installers ship with Android devices and are used to update the phone’s firmware—but they also take and sell personal information.
Just keep skimming – Credit card skimmers, or Magecart, were one of the most prevalent web threats in 2019. Magecart activity will continue in 2020 with more e-commerce platforms targeted.
Key targets shift – The services sector leapfrogged over education and retail, snagging the top spot for industries impacted by threats in 2019. Notably this includes managed service providers (MSPs), which are being leveraged to take advantage of their network of clients.
Apple is rolling out a new update to its iOS operating system that addresses the location privacy issue on iPhone 11 devices that was first detailed here last month.
Beta versions of iOS 13.3.1 include a new setting that lets users disable the “Ultra Wideband” feature, a short-range technology that lets iPhone 11 users share files locally with other nearby phones that support this feature.
In December, KrebsOnSecurity pointed out the new iPhone 11 line queries the user’s location even when all applications and system services are individually set never to request this data.
Apple initially said the company did not see any privacy concerns and that the location tracking icon (a small, upward-facing arrow to the left of the battery icon) appears for system services that do not have a switch in the iPhone’s settings menu.
Apple later acknowledged the mysterious location requests were related to the inclusion of an Ultra Wideband chip in iPhone 11, Pro and Pro Max devices.
The company further explained that the location information indicator appears because the device periodically checks to see whether it is being used in a handful of countries for which Apple hasn’t yet received approval to deploy Ultra Wideband.
Apple also stressed it doesn’t use the UWB feature to collect user location data, and that this location checking resided “entirely on the device.” Still, it’s nice that iPhone 11 users will now have a disable the feature if they want.
Spotted by journalist Brandon Butch and published on Twitter last week, the new toggle switch to turn off UWB now exists in the “Networking & Wireless” settings in beta versions of iOS 13.3.1, under Locations Services > System Services. Beta versions are released early to developers to help iron out kinks in the software, and it’s not clear yet when 13.3.1 will be released to the general public.
Two years ago, Apple abandoned its plan to encrypt iPhone backups in the iCloud in such a way that makes it impossible for it (or law enforcement) to decrypt the contents, a Reuters report claimed on Tuesday.
Based on information received by multiple unnamed FBI and Apple sources, the report says that the decision was made after Apple shared its plan for end-to-end encrypted iCloud backups with the FBI and the FBI objected to it.
According to the sources, Apple:
- Didn’t want to be attacked for or be seen as protecting criminals
- Was convinced by the FBI’s arguments (i.e., that being able to access the contents of iPhone backups in the iCloud is crucial to the success of thousands of investigations)
- Didn’t want to get into another court battle with the FBI over the matter or getting used as an excuse for new legislation against encryption.
End-to-end encrypted iCloud backups are not available, but…
Apple and the FBI declined to comment on these claims. Also, more importantly, and despite how it might seem initially, “Reuters could not determine why exactly Apple dropped the plan.”
Whether the decision was made entirely or partly because of the FBI’s objections is, therefore, unknown. One of the Reuters sources – a former Apple employee – said it was possible the encryption project was dropped for other reasons (e.g., to prevent customers being locked out of their backups because they forgot their passphrase).
Daring Fireball publisher John Gruber pointed out the same thing, and said that he “would find it less surprising to know that Apple acquiesced to the FBI’s request not to allow encrypted iCloud backups than that Apple briefed the FBI about such a plan before it was put in place.”
If you want to keep your backups for your eyes only
Whether Apple has canceled its plan to offer encrypted iCloud backups for good or just temporarily, the fact that users need to be aware that some of the information they back up in the iCloud can be decrypted by Apple and, consequently, be made available to law enforcement.
The data that is encrypted end-to-end (i.e., is protected with a key derived from information unique to the user’s device and their device passcode) includes things like the iCloud Keychain (which includes all of user’s saved accounts and passwords), Wi-Fi passwords and payment information.
Data that is encrypted in transit and on the server, but with a key known to Apple, includes the device’s backup, Safari history and bookmarks, photos, calendars, contacts, voice memos, and more.
And, while Messages in iCloud does use end-to-end encryption, if the user has iCloud Backup turned on, their backup includes a copy of the key protecting their Messages (so they can recover them if they lose access to iCloud Keychain and their trusted devices). That means that law enforcement can access them also, if Apple allows it.
In short: if you use an iPhone and you want all of your data to remain private and encrypted in a way that makes is impossible (or very, very difficult) for anyone to decrypt it, don’t back it up into iCloud. Instead, opt for an encrypted local backup on a Mac or PC through iTunes, choose a strong passphrase, and make sure to remember it.
Amazon, Apple, Google, and the Zigbee Alliance, announced a new working group that plans to develop and promote the adoption of a new, royalty-free connectivity standard to increase compatibility among smart home products, with security as a fundamental design tenet.
Zigbee Alliance board member companies such as IKEA, Legrand, NXP Semiconductors, Resideo, Samsung SmartThings, Schneider Electric, Signify (formerly Philips Lighting), Silicon Labs, Somfy, and Wulian are also on board to join the working group and contribute to the project.
The goal of the Connected Home over IP project is to simplify development for manufacturers and increase compatibility for consumers. The project is built around a shared belief that smart home devices should be secure, reliable, and seamless to use.
By building upon Internet Protocol (IP), the project aims to enable communication across smart home devices, mobile apps, and cloud services and to define a specific set of IP-based networking technologies for device certification.
The industry working group will take an open-source approach for the development and implementation of a new, unified connectivity protocol. The project intends to use contributions from market-tested smart home technologies from Amazon, Apple, Google, Zigbee Alliance, and others.
The decision to leverage these technologies is expected to accelerate the development of the protocol and deliver benefits to manufacturers and consumers faster.
The project aims to make it easier for device manufacturers to build devices that are compatible with smart home and voice services such as Amazon’s Alexa, Apple’s Siri, Google’s Assistant, and others.
The planned protocol will complement existing technologies, and working group members encourage device manufacturers to continue innovating using technologies available today.
Project Connected Home over IP welcomes device manufacturers, silicon providers, and other developers from across the smart home industry to participate in and contribute to the standard.
For a couple of years now, Apple has been exploring subscriptions as a way to bolster revenue in the face of slowing iPhone growth. This year saw a turning point in that strategy, with Apple TV+, Apple News+, and Apple Arcade joining the company’s suite of subscription services that already included Apple Music, AppleCare, and iCloud.
But as this is a relatively new frontier for the company (at least in terms of emphasis), Apple is still testing the waters of different approaches. The latest of these is the introduction of a discounted annual subscription to Apple Arcade priced at $49.99, about a $10 savings compared to the $4.99 monthly subscription that was introduced in September.
Apple Arcade offers subscribers Netflix-style access to around a hundred games on iPhone, iPad, Mac, and Apple TV. While many games have flown under the radar or not made much public impact, a few such as Sayonara Wild Hearts, Grindstone, What the Golf?, and Where Cards Fall have received rave reviews from consumers and critics or found significant financial success through the service.
Arcade is the culmination of an effort that Apple has made over the past couple of years to address the discoverability problem for games in the App Store for the company’s devices. The iPhone App Store has many gems, but they have historically been difficult to find or surface amidst a sea of poorly made titles or of gambling-like titles with exploitative mechanics and monetization schemes.
Apple first began emphasizing human-curation from the App Store with iOS 12, but Apple Arcade arrived with iOS 13 in September to make it more attractive still for consumers to find and play premium-quality mobile games. It also followed an effort by Apple to evangelize developers into offering their own individual app subscriptions, of which Apple would get a cut.
Apple has also experimented with subscription bundling by giving students who subscribe to Apple Music access to Apple TV+ (reports indicate the company is hoping to introduce an Amazon Prime-like bundle in the future, too) and by offering an indefinitely renewing monthly AppleCare+ subscription as an alternative to its previously (and still) offered two and three-year AppleCare packages.
A bug in iOS 13.3 allows children to easily circumvent the restrictions their parents or guardians set with the Communications Limit feature in Screen Time. Apple has said it plans to fix the problem in a future software update.
The iOS 13.3 update released earlier this week added the ability for parents to whitelist contacts for their kids to communicate with. Kids need the parents to input a passcode to talk to anyone not on the list, with an exception made for emergency services like 911. It was the flagship feature of the update.
Yesterday, CNBC published a report detailing a bug that allowed kids to easily circumvent the restrictions. It turns out that when contacts are not set to sync with iCloud by default, texts or calls from unknown numbers present children with the option to add the number as a new contact. Once that step has been taken, they can communicate freely with the contact.
Further, kids with access to an Apple Watch can ask Siri on the Watch to text or call a number on the paired iPhone, regardless of whether the number is whitelisted or not. CNBC notes that this does not work when Downtime, another parental control feature, is enabled, however.
Apple offered the following statement to CNBC as news of the issue spread:
This issue only occurs on devices set up with a non-standard configuration, and a workaround is available. We’re working on a complete fix and will release it in an upcoming software update.
Apple has faced a generally rocky launch with iOS 13 and its numerous subsequent smaller updates, such that the company has made plans to change how it tests and builds new software internally to avoid future problems. Our earlier report on that noted that sources close to Apple said the company had been happier with its software since the release of iOS 13.2. However, iOS 13.2 had a widespread memory issue affecting background apps, and iOS 13.3 now has this new ScreenTime issue, meaning the two recent feature updates each came with a major bug.
Apple has released more bug fix updates since the iOS 13 launch than is usual after an annual update.