• Apple tried to patch this security hole in macOS Finder but didn't consider upper and lowercase characters

  Apple's macOS Finder application is currently vulnerable to a remote code execution bug, despite an apparent attempt to fix the problem.

  A security advisory published Tuesday by the SSD Secure Disclosure program, on behalf of researcher Park Minchan, explains that macOS Finder – which provides a visual interface for interacting with files – is vulnerable to documents with the .inetloc extension.

  "[T]hese files can be embedded inside emails which if the user clicks on them will execute the commands embedded inside them without providing a prompt or warning to the user," the advisory says.

• Apple Training Videos Highlight Company's Adversarial Stance On Affordable Repairs

  Apple has never looked too kindly upon users actually repairing their own devices. The company's ham-fisted efforts to shut down, sue, or otherwise imperil third-party repair shops are well established. As are the company's efforts to force recycling shops to shred Apple products (so they can't be refurbished and re-used), and Apple's often comical attacks on essential right to repair legislation, which only sprung up after companies like Apple, Microsoft, Sony, John Deere, and others created a grass-roots counter-movement via their attempts to monopolize repair.

• OMIGOD: Azure users running Linux VMs need to update now [Ed: They need to abandon Microsoft Azure and get reprimanded by the employer for ever choosing this NSA company as a host in the first place]

• Microsoft September 2021 Patch Tuesday: Remote code execution flaws in MSHTML, OMI fixed

• Microsoft Patch Tuesday, September 2021 Edition

  Microsoft today pushed software updates to plug dozens of security holes in Windows and related products, including a vulnerability that is already being exploited in active attacks. Also, Apple has issued an emergency update to fix a flaw that’s reportedly been abused to install spyware on iOS products, and Google‘s got a new version of Chrome that tackles two zero-day flaws. Finally, Adobe has released critical security updates for Acrobat, Reader and a slew of other software.

• Apple Patches Up Devices In Response To The Exposure Of Yet Another NSO Group Exploit

  Israeli digital arms merchant NSO Group continues to sell its malware to a wide variety of governments. The governments it sells to, which includes a bunch of notorious human rights abusers, continue to use these exploits to target dissidents, activists, journalists, religious leaders, and political opponents. And the manufacturers of the devices exploited by governments to harm people these governments don't like (NSO says "criminals and terrorists," long-term customers say "eh, whoever") continue to patch things up so these exploits no longer work.

• It's not just you: Emergency software patches are on the rise

  Researchers raised the alarm Monday about a big one: The Israeli spyware company NSO Group, which sells programs for governments to remotely take over people’s smartphones and computers, had figured out a new way into practically any Apple device by sending a fake GIF through iMessage. The only way to guard against it is to install Apple’s emergency software update.

• Apple Rushes Out Emergency Update to Stop ‘No Click’ Spyware

  The flaw, disclosed Monday by Citizen Lab, allowed a hacker using NSO’s Pegasus malware to gain access to a device owned by an unnamed Saudi activist, according to security researchers. Apple said the flaw could be exploited if a user on a vulnerable device received a “maliciously crafted” PDF file.

Sometimes file thumbnails in Nautilus aren’t enough. Sometimes you need a closer look at a file, photo, or folder to make sure it’s the one you actually want, but without the hassle of opening a full-blown app to find out.

And that’s where GNOME Sushi comes in.

GNOME Sushi is an alternative to macOS ‘Quick Look‘ for Linux desktops that use Nautilus, aka GNOME’s famous file manager.

You select a file in Nautilus, tap the spacebar, and an instantaneous (and usually interactive) preview of the file appears — no need to open a full app.

Sushi supports file previews for most plain-text documents, including scripts with syntax highlighting, as well PDFs, HTML files, and LibreOffice documents. Music and video file previews use the GStreamer framework to let you to seek/scrub through them.

• Cyber-Attack on Air India Led to Data Leak of 4.5 Million Fliers

  [Attackers] infiltrated the servers of Air India Ltd. and gained access to personal data of 4.5 million fliers, the nation’s flag carrier said.

  Personal data of passengers registered between August 2011 and February 2021 were compromised in the attack, the carrier said in a note to fliers that was shared via Twitter. The details included credit card and contact information and frequent flier data.

• Ransomware Moves from ‘Economic Nuisance’ to National Security Threat [iophk: Windows TCO]

  https://www.voanews.com/silicon-valley-technology/ransomware-moves-economic-nuisance-national-security-threat

  [...]

  While Blount, the Colonial Pipeline CEO, defended his decision to pay a ransom as “the right thing to do for the country,” law enforcement officials and cybersecurity experts say such hefty payments embolden cyber criminals to carrying out more attacks.

• FBI warns Conti ransomware gang struck health and emergency networks [iophk: Windows TCO]

  The Federal Bureau of Investigation said that the same group of online extortionists blamed for striking the Irish health system last week have also hit at least 16 U.S. medical and first response networks in the past year.

  In an alert made public Thursday by the American Hospital Association, the FBI said the cybercriminals using the malicious software dubbed ‘Conti’ have targeted law enforcement, emergency medical services, dispatch centers, and municipalities.

  The alert did not name the victims or go into detail about the nature or severity of the breaches, saying only that they were among more than 400 organizations worldwide targeted by “Conti actors.”

• Application Compatibility Hell: Microsoft set to remove Internet Explorer from Windows 10. (But 99% of it will linger.)

  Even NPR commented on Microsoft getting ready to remove Internet Explorer from Windows 10, but I thought I’d chime in and mention that you can do that today if you want to.

  Microsoft Edge has a thing called Internet Explorer Mode that can reload a site using the Trident engine from Internet Explorer.

  Due to the architecture of Internet Explorer, Trident is an embeddable component and Internet Explorer is just a small shell around that component. Internet Explorer Mode does not require the “Internet Explorer 11” feature to be turned on, so you can “remove” Internet Explorer and this Mode will still work in Microsoft Edge, should you turn it on.

  I’ve been trying out opening sites in IE Mode in Edge, and it’s pretty clear that Trident has aged quite badly and the only reason why you’d ever do this is if you ended up with some crap web application that nobody is going to fix anytime soon. Like the beneficiary enrollment page on One Walmart.

• QBittorrent Developer: “Apple app notarization is extortion pretending to be security. Issue closed.” Bonus: Ancient operating systems. (Windows)

  A developer of the popular Bittorrent protocol client “QBittorrent” closed the “Won’t run on macOS Catalina” bug (due to Apple’s fake security scam of software signing+notarization) by closing the issue.

  After a discussion, it wasn’t even about the $100 a year it would cost to get to get an Apple developer account so they could give a program away for free, or wondering if they could even get Apple to sign off on a Bittorrent app if they did, but that the infrastructure that you have to put in place to build, sign, and notarize Mac apps is daunting and not worth the pitiful amount of Mac users that it would bring in.

  So, the way to make it run is still turn off Gatekeeper, at least for however long Apple allows it.

  It’s not really your computer anyway. It ain’t done til GNU/Linux won’t run…. Oh wait, this too has happened.

• Federal Judge unimpressed with Tim Cook’s testimony.

  Per NPR, the first day of testimony in Epic’s lawsuit against Apple did not go well for CEO Tim Cook.

  It seems that the judge was the most skeptical of Cook’s arguments that the program that reduces “commissions” to Apple for small developers were sufficient, or that consumers had sufficient choice in the In-App Payments market because Android phones exist.

  Of course, that argument is ridiculous. Google’s commissions are exactly the same. The issue here is that the commissions themselves are too high and raise prices for the user. When Epic put it’s own in-app payment system into Fortnite, it passed some of the savings to the user. It cost 20% less than paying through Apple or Google.

  Jamie Zawinski had previously complained that Apple deliberately did things to discourage developers from giving away apps for iOS that are really free. For example, Google charges $25 once to get a Google developer account, and Apple charges $100 a year. Apple pressures people to make money so that they can take 30% of it.

  NPR goes on to mention the fact that iPhone sales have been stagnant for years. This is true, and there has not been a “next product” because Apple isn’t an innovative company. If they lose the in-app purchase revenue, money they are effectively stealing from their user (since the developer isn’t just absorbing it), they hit the skids.

• “Tim Apple” testifies in court on the App Store monopoly.

  Today, Tim Cook (“Tim Apple” as Trump called him), testifies on Apple’s App Store monopoly.

  Of course, people should know that they’re going to try to excuse their behavior on creating a “good experience” for users and to “keep things safe” from malware, and from a child that may not use the computer correctly.

  The problem with this model is that Apple has been using their monopoly to profit from doing essentially nothing except imposing ridiculous rules on app developers, censoring apps, and taking nearly a third of gross sales for providing a distribution service.

  Apple’s model makes the user lose on numerous fronts, and it makes software more expensive and costs jobs in the economy.

  They also can’t guarantee it’s secure. At issue is Fortnite adding its own payment method to bypass Apple’s store siphoning off their revenues.

  How did it get past app review? The code was set to do nothing for a while, so that it would get through the review and then activate later.

  If a payment mechanism can do that, so can malware, and once malware runs on a device it’s too late. It can gain more permissions by exploiting bugs in the firmware, and become a rootkit. At that point, it would be difficult for Apple to even get rid of it.

• Tim Cook’s Fortnite trial testimony was unexpectedly revealing

  Epic mustered its own arguments: people can still choose to keep their phones locked down, and they might want to access stores with even more carefully curated apps or even better privacy controls. It’s previously accused Apple of hypocrisy, pointing out anecdotal failures to catch specific apps (like a game called Ganja Farmer: Weed Empire) that violate App Store guidelines. “It’s not 100 percent. It’s not perfect. You will find mistakes being made,” Cook said when Apple’s counsel asked about those incidents. “But if you back up and look at it in the scheme of things, with 1.8 million or so apps on the store, we do a really good job.”

• Apple's Tim Cook grilled by judge overseeing Epic's Fortnite trial

  Apple says its control over the App Store promises security and reliability for users. Epic says it stifles competition.

• Apple App Store profits look 'disproportionate,' U.S. judge tells CEO Cook

• FOSS Patents: Friday for Fortnite

  No, I don't want to gloat, but it's mind-boggling what happened yesterday in that Oakland courtroom at the end of the main part (they're done apart from closing arguments on Monday) of the Epic Games v. Apple App Store antitrust trial. It's fair to say that at this point the question is most likely about remedies. Epic is on the winning track with respect to liability as Judge Yvonne Gonzalez Rogers of the United States District Court for the Northern District of California laid bare the bankruptcy of Apple's defenses. Being an App Store complainant myself (though I tried what I could to work things out), that's what I had hoped, but the hurdle was and remains high.

  After my final pretrial post and Twitter thread, I didn't comment on the trial itself or on the issues in it. I just noted some suspicious Twitter activity.

  I dialed in only for opening statements (followed by Epic Games CEO Tim Sweeney's testimony, which was almost inaudible) and for Apple CEO Tim Cook's testimony yesterday. In between, I just read other people's tweets (mostly not even in real time), particularly the ones by Protocol's Nick Statt (here's his report on how the judge "saved her best for last") and The Verge's Adi Robertson (here's his article, which contains a partial transcript of how Judge YGR grilled Tim Cook), but also others.

  After the first couple of days, I was profoundly worried. The judge had tough questions for Epic, and some of the answers might have been tactically suboptimal. The inflection point in the early phase of the trial was the testimony of Lori Wright, a Microsoft Xbox exec. As far as I could see on Twitter, it was just perfect and definitely eye-opening.