Google's bug-hunting researchers known as Project Zero have revealed a fresh zero-day vulnerability in macOS called "BuggyCow." "The attack takes advantage of an obscure oversight in Apple's protections on its machines' memory to enable so-called privilege escalation, allowing a piece of malware with limited privileges to, in some cases, pierce into deeper, far more trusted parts of a victim's Mac," reports Wired. "The trick's name is based on a loophole the hackers found in the so-called copy-on-write, or CoW, protection built into how MacOS manages a computer's memory." From the report: Some programs, when dealing with large quantities of data, use an efficiency trick that leaves data on a computer's hard drive rather than potentially clog up resources by pulling it into memory. That data, like any data in a computer's memory, can sometimes be used by multiple processes at once. The MacOS memory manager keeps a map of its physical location to help coordinate, but if one of those processes tries to change the data, the memory manager's copy-on-write safeguard requires it to make its own copy. Which is to say, a program can't simply change the data shared by all the other processes -- some of which could be more highly privileged, sensitive programs than the one requesting the change.

Google's BuggyCow trick, however, takes advantage of the fact that when a program mounts a new file system on a hard drive -- basically loading a whole collection of files rather than altering just one -- the memory manager isn't warned. So a hacker can unmount a file system, remount it with new data, and in doing so silently replace the information that some sensitive, highly privileged code is using. Technically, as a zero-day vulnerability with no patch in sight, BuggyCow applies to anyone with an Apple laptop or desktop. But given the technical skill and access needed to pull it off, you shouldn't lose much sleep over it. To even start carrying out this Rube Goldberg -- style attack, a hacker would need a victim to already have some form of malware running on their computer. And while BuggyCow would allow that malware to potentially mess with the inner workings of higher-privileged parts of the computer, it could do so only if it found a highly privileged program that kept its sensitive data on the hard drive rather than memory. Project Zero says it warned Apple about BuggyCow back in November, but Apple hadn't acted to patch it ahead of last week's public reveal.

Jessica Roy, writing for LA Times: Thirty years ago, Maxis released "SimCity" for Mac and Amiga. It was succeeded by "SimCity 2000" in 1993, "SimCity 3000" in 1999, "SimCity 4" in 2003, a version for the Nintendo DS in 2007, "SimCity: BuildIt" in 2013 and an app launched in 2014. Along the way, the games have introduced millions of players to the joys and frustrations of zoning, street grids and infrastructure funding -- and influenced a generation of people who plan cities for a living.

For many urban and transit planners, architects, government officials and activists, "SimCity" was their first taste of running a city. It was the first time they realized that neighborhoods, towns and cities were things that were planned, and that it was someone's job to decide where streets, schools, bus stops and stores were supposed to go.

Last December, Microsoft announced that it has embraced Google's Chromium open source project for Edge development on the desktop, a move that shocked many. We now have some leaked screenshots of the browser in its current state, and they appear to show a browser resembling Google Chrome. Neowin reports: A lot of the design language and icons have remained similar to what they were like before, but there are definitely many changes that will be familiar to Chrome users. For one, the options to see all your tabs and to set aside the currently open tabs have been removed compared to the current version of Edge. To the right of the address bar, you'll be able to find your extensions, as well as your profile picture similar to what Chrome looks like. Bing is integrated into the browser -- as you'd expect of a Microsoft-made browser -- and the New Tab background can be set to rotate based on Bing's image of the day. Scrolling down will reveal a personalized news feed powered by Microsoft News, similar to the old Edge. The layout of the feed can be customised based on your preference from among a number of options.

The settings options for the browser have also changed. While Edge settings are currently available via a slide-out menu from the right, the new Edge's settings are accessible through a new tab similar to Chrome. It'll show the Microsoft account you're logged into, as well as the usual array of toggles and tidbits you'd expect. Ominously, the about page for the browser now acknowledges the contributions of the Chromium project, as well as other open source software, a stark reminder that this isn't the Microsoft of yesteryear. This is a new browser, and a new Microsoft.

An anonymous reader writes: A security researcher has uncovered a ring of malicious GitHub accounts promoting over 300 backdoored Windows, Mac, and Linux applications and software libraries. The malicious apps contained code to gain boot persistence on infected systems and later download other malicious code -- which appeared to be a "sneaker bot," a piece of malware that would add infected systems to a botnet that would later participate in online auctions for limited edition sneakers.

All the GitHub accounts that were hosting these files -- backdoored versions of legitimate apps -- have now been taken down. One account, in particular, registered in the name of Andrew Dunkins, hosted 305 backdoored ELF binaries. Another 73 apps were hosted across 88 other accounts.

An anonymous reader quotes BGR: Sales from individual song downloads have unsurprisingly been falling with no end in sight, thanks to the convenience of streaming options like Spotify and Apple Music. A new report, though, makes clear just how few people there are these days who will buy individual digital songs -- there are so few of them, in fact, that they were outnumbered in 2018 by people who went old-school and bought actual compact discs and vinyl records.

According to the Recording Industry Association of America, total download sales in 2018 -- for which iTunes led the pack -- dropped almost 30%, to a little more than $1 billion. Purchases of full album downloads likewise fell, by 25%. To put that in context, download sales represented more than 40% of the music industry's revenue back in 2013. Last year? About 11%.

Meanwhile, that drop in sales has resulted in a lop-sided reality that harkens back to the pre-iTunes days. Sales of physical media including CDs and vinyl, according to the RIAA's new report, were down 23 percent but totaled $1.15 billion, thus edging out digital download sales. Another interesting takeaway from the new report: Music fans bought almost $420 million worth of vinyl in 2018, which Cult of Mac notes in a piece today is almost as much as people spent buying album downloads from iTunes last year.
The RIAA reports that "virtually all the revenue growth" for 2018 came from streaming music platforms like Spotify, Apple Music, Amazon Music, and Tidal, which last year collectively added 1 million new subscribers every single month, and now have a record number of more than 50 million subscribers.

"By the way, don't be fooled into reading something positive about CDs from the title of this post," adds BGR. "While physical media sales were down 23%, CD sales themselves slipped 34% for the year to $698 million. That's the first time CD yearly revenue has come in below $1 billion since 1986."

An anonymous reader shares a report: Coinomi wallet app sends user passwords to Google's spellchecking service in clear text, exposing users' accounts and their funds to man-in-the-middle (MitM) attacks during which attackers can log passwords and later empty accounts. The issue came to light yesterday after an angry write-up by Oman-based programmer Warith Al Maawali who discovered it while investigating the mysterious theft of 90 percent of his funds. Al Maawali says that during the Coinomi wallet setup, when users select a password (passphrase), Coinomi app grabs the user's input inside the passphrase textbox and silently sends it to Google's Spellcheck API service. [...] Coinomi, which offers a multi-cryptocurrency wallet app for Android, iOS, Linux, Mac, and Windows, did not respond to a request for comment.

Bismillah writes: Researchers have published the results of exploring how vulnerable Thunderbolt is to DMA attacks, and the answer is "very." Be careful what you plug into that USB-C port. Yes, the set of vulnerabilities has a name: "Thunderclap." "Thunderbolt, which is available through USB-C ports on modern laptops, provides low-level direct memory access (DMA) at much higher privilege levels than regular universal serial bus peripherals," reports ITNews, citing a paper published from a team of researchers from the University of Cambridge, Rice University and SRI International. "This opens up laptops, desktops and servers with Thunderbolt input/output ports and PCI-Express connectors to attacks using malicious DMA-enabled peripherals. The main defense against the above attacks is the input-output memory management unit (IOMMU) that allows devices to access only the memory needed for the job to be done. Enabling the IOMMU to protect against DMA attacks comes at a high performance cost however. Most operating systems trade off security for performance gains, and disable the IOMMU by default."

"Apple's macOS uses the IOMMU, but even with the hardware defense enabled, the researchers were able to use a fake network card to read data traffic that is meant to be confined to the machine and never leave it," the report adds. "The network card was also able to run arbitrary programs at system administrator level on macOS and could read display contents from other Macs and keystrokes from a USB keyboard. Apple patched the vulnerability in macOS 10.12.4 that was released in 2016, but the researchers say the more general scope of such attacks remains relevant."

Developers and Intel officials have told Axios that Apple is expected to move its Mac line to custom ARM-based chips as soon as next year. "Bloomberg offered a bit more specificity on things in a report on Wednesday, saying that the first ARM-based Macs could come in 2020, with plans to offer developers a way to write a single app that can run across iPhones, iPads and Macs by 2021," reports Axios. "The first hints of the effort came last year when Apple offered a sneak peek at its plan to make it easier for developers to bring iPad apps to the Mac." From the report: If anything, the Bloomberg timeline suggests that Intel might actually have more Mac business in 2020 than some had been expecting. The key question is not the timeline but just how smoothly Apple is able to make the shift. For developers, it will likely mean an awkward period of time supporting new and classic Macs as well as new and old-style Mac apps. The move could give developers a way to reach a bigger market with a single app, although the transition could be bumpy. For Intel, of course, it would mean the loss of a significant customer, albeit probably not a huge hit to its bottom line.

Mark Gurman, reporting for Bloomberg: Apple wants to make it easier for software coders to create tools, games and other applications for its main devices in one fell swoop -- an overhaul designed to encourage app development and, ultimately, boost revenue. The ultimate goal of the multistep initiative, code-named "Marzipan," is by 2021 to help developers build an app once and have it work on the iPhone, iPad and Mac computers, said people familiar with the effort. That should spur the creation of new software, increasing the utility of the company's gadgets.

Later this year, Apple plans to let developers port their iPad apps to Mac computers via a new software development kit that the company will release as early as June at its annual developer conference. Developers will still need to submit separate versions of the app to Apple's iOS and Mac App Stores, but the new kit will mean they don't have to write the underlying software code twice, said the people familiar with the plan. In 2020, Apple plans to expand the kit so iPhone applications can be converted into Mac apps in the same way. Further reading: Tim Cook, in April 2018: Users Don't Want iOS To Merge With MacOS.

An anonymous reader writes: Apple's new Mac products might have a serious audio glitch for professional users. The company's newest Mac products with its T2 security chip suffer from a software-related bug that leads to issues with audio performance. The issue seemingly affects devices with the T2 chip -- that includes the iMac Pro, Mac Mini 2018, MacBook Air 2018, and MacBook Pro 2018. Although Apple's T2 chip is designed to offer improved security, it's affecting users in the pro audio industry.

As CDM reports, there is a bug in macOS that leads to dropouts and glitches in audio whenever a Mac automatically updates its system clock through the system time daemon. Users have been reporting the issue across a bunch of different pro audio forums for months, and it seems like the issue has never been acknowledged by Cupertino. The issue here is pretty simple to understand, as explained by a DJ software developer on Reddit: whenever the system time daemon automatically updates the system time, it somehow sends a 'pause-audio-engine' message to the kernel, leading to dropouts and glitches in audio.

Apple is planning an "all-new" MacBook Pro design for this year, well-connected analyst Ming-Chi Kuo has said. From a report: The lineup is reportedly led by a model with a screen of between 16 and 16.5 inches, which would make it the biggest screen in a Mac notebook since the 17-inch models stopped being sold in 2012. Kuo says the lineup may also include a 13-inch model with support for 32GB of RAM; right now only the 15-inch MacBook Pro can be configured with that amount of memory.

[...] More interestingly, Kuo has the first credible details of the external monitor that will mark Apple's return to the pro display market. It's said to be a 31.6-inch 6K display with a "Mini LED-like backlight design." Apple discontinued its last monitor, the Thunderbolt Display, back in 2016; right now the best option for owners of more modern Macs is the Apple-sanctioned but imperfect 27-inch LG UltraFine 5K.

18,000 Android apps with tens or hundreds of millions of installs on the Google Play Store have been found to violate Google's Play Store Advertising ID policy guidance by collecting persistent device identifiers such as serial numbers, IMEI, WiFi MAC addresses, SIM card serial numbers, and sending them to mobile advertising related domains alongside ad IDs. Bleeping Computer reports: AppCensus is an organization based in Berkeley, California, and created by researchers from all over the world with expertise in a wide range of fields, ranging from networking and privacy to security and usability. The project is supported by "grants from the National Science Foundation, the Department of Homeland Security, and the Data Transparency Lab." By highlighting this behavior, AppCensus shows that while users are being offered the option to reset the advertising ID, doing so will not immediately translate into getting a new "identity" because app developers can also use a multitude of other identifiers to keep their tracking and targeting going.

Google did not yet respond to a report sent by AppCensus in September 2018 containing a list of 17,000 Android apps that send persistent identifiers together with ad IDs to various advertising networks, also attaching a list of 30 recipient mobile advertising related domains where the various IDs were being sent. While looking at the network packets sent between the apps and these 30 domains, AppCensus observed that "they are either being used to place ads in apps, or track user engagement with ads." In a statement to CNET, a Google spokesperson said: "We take these issues very seriously. Combining Ad ID with device identifiers for the purpose of ads personalization is strictly forbidden. We're constantly reviewing apps -- including those listed in the researcher's report -- and will take action when they do not comply with our policies."

Some of the most popular applications found to be violating Google's Usage of Android Adverting ID policies include Clean Master, Subway Surfers, Flipboard, My Talking Tom, Temple Run 2, and Angry Birds Classic. The list goes on and on, and the last app in the "Top 20" list still has over 100 million installations.

A new variant of the multi-stage Shlayer malware known to target macOS users has been observed in the wild, now being capable to escalate privileges using a two-year-old technique and to disable the Gatekeeper protection mechanism to run unsigned second stage payloads. Bleeping Computer reports: This new Shlayer variant unearthed by Carbon Black's Threat Analysis Unit (TAU) targets all macOS releases up to the latest 10.14.3 Mojave, and will arrive on the targets' machines as a DMG, PKG, ISO, or ZIP files, some of them also signed with a valid Apple developer ID to make them look legitimate. Shlayer samples found by TAU also use malicious shell scripts to download additional payloads just like older installments did, and, in the case of samples distributed as DMG images, will surreptitiously launch a .command script in the background after the user launches the fake Flash installer. The malicious script included in the DMG is encoded using base64 and will decrypt a second AES encrypted script which will be executed automatically after being decrypted.

One it successfully downloads the second stage malware payload, Shlayer will "to escalate privileges with sudo using a technique invoking /usr/libexec/security_authtrampoline," presented by Patrick Wardle in his Death by 1000 Installers talk at DEFCON 2017. The next step is to download extra payloads which all contain adware according to TAU and it makes sure they'll be able to run on the compromised Mac by disabling the Gatekeeper protection mechanism. After this is accomplished, all extra payloads downloaded and launched by Shlayer will be seen as whitelisted software because the OS will no longer check if they are signed with an Apple developer ID. Also, just in case the malware is not able to disable Gatekeeper on the infected Mac, some of the second stage payloads are also signed with valid developer IDs.

For those hoping the next iPhone would ditch the Lightning port in favor of the more versatile USB-C port, you'll surely be disappointed by the latest rumor. "Japanese site Macotakara says that not only will the 2019 iPhone use Lightning, Apple will also continue to bundle the same 5W charger and USB-A to Lightning cable in the box," reports 9to5Mac. "This is seen as a cost saving measure. It seems that customers wanting faster iPhone charge times will still have to buy accessories, like the 12W iPad charger." From the report: The site explains that Lightning port is not going anywhere and Apple is resistant to changing the included accessories to maintain production costs. Apple can benefit from huge economies of scale by selling the same accessories for many generation. As such, Apple apparently will keep bundling Lightning EarPods, Lightning to USB-A cable, and the 5W USB power adaptor, with the 2019 iPhone lineup. This is disappointing as Apple began shipping an 18W USB-C charger with its iPad Pro line last fall, and many expected that accessory to become an iPhone standard too. Even if the iPhone keeps the Lightning port, Lightning can support fast-charging over the USB Type-C protocol. It's not clear if the cost savings of this decision would be passed on to consumers with lower cost 2019 iPhone pricing.

Linuz Henze, a credible researcher, has revealed an exploit that in a single button press can reveal the passwords in a Mac's keychain. From a report: Keychain is where macOS stores most of the passwords used on the machine, ranging from iMessage private encryption keys to certificates, secured notes, Wi-Fi, and other Apple hardware passwords, app passwords, and web passwords. A pre-installed app called Keychain Access enables users to view the entire list of stored items, unlocking each one individually by repeatedly entering the system password, but Henze's KeySteal exploit grabs everything with a single press of a "Show me your secrets" button.

While the demo is run on a 2014 MacBook Pro without Apple's latest security chips, Henze says that it works "without root or administrator privileges and without password prompts, of course." It appears to work on the Mac's login and system keychains, but not iCloud's keychain. Generally, white hat security researchers publicly reveal flaws like this only after informing the company and giving it ample time to fix the issues. But Henze is refusing to assist Apple because it doesn't offer paid bug bounties for macOS.

Following Mozilla's footsteps, Google has released Chrome 72 for Windows, Mac, and Linux. From a report: The release includes code injection blocking and new developer features. You can update to the latest version now using Chrome's built-in updater or download it directly from google.com/chrome. With over 1 billion users, Chrome is both a browser and a major platform that web developers must consider. In fact, with Chrome's regular additions and changes, developers often must make an effort to stay on top of everything available -- as well as what has been deprecated or removed -- most notably, Chrome 72 removes support for Chromecast setup on a computer. To set up a Chromecast, you'll now need to use a mobile device.

As this isn't a major release, there aren't many new features to cover. Chrome 72 for Windows, however, blocks code injections, reducing crashes caused by third-party software. The initiative to block code injections in Chrome started last year, with warnings letting users know that Chrome was fighting back. Those warnings are now gone, and Chrome blocks code injections full stop. Further reading: All the Chromium-based browsers.

Due to an economic slowdown in China and diminishing demand for new iPhones, Apple's profits in its most recent quarter were flat compared with a year earlier. "The disappointing financial performance had been expected since Jan. 2, when Apple, for the first time in 16 years, revised its forecast for the quarter," reports The New York Times. "But the announcement on Tuesday indicates a difficult road head for Apple, which just five months ago became the first company to be worth more than $1 trillion. The company said it expected between $55 billion and $59 billion in revenue in the current quarter, just below analysts' expectations for $59 billion. Apple's earnings per share were $4.18, beating analysts' expectations by a penny."

In addition to the quarterly earnings, Apple reported revenue of $84.3 billion, a decline of 5 percent from one year ago. "Revenue from iPhone declined 15 percent from the prior year, while total revenue from all other products and services grew 19 percent," Apple said in a press release. Analysts had estimated revenue of $83.97 billion and earnings of $4.17 per share. "While it was disappointing to miss our revenue guidance, we manage Apple for the long term, and this quarter's results demonstrate that the underlying strength of our business runs deep and wide," said Tim Cook. Apple's active install base of 1.4 billion is "a great testament to the satisfaction and loyalty of our customers, and it's driving our services business to new records thanks to our large and fast-growing ecosystem," Cook said. The Verge adds: "iPhones account for 900 million of those devices. iPad revenues were up 17 percent against the year-ago quarter; Mac was up 9 percent; and Wearables/Home/Accessories were up by 33 percent."

Firefox 65, the latest version of Mozilla's web browser, is now available for Windows, Mac, Linux, and Android platforms. The release brings simplified Content Blocking controls for Enhanced Tracking Protection, support for WebP image support with the Windows client getting an additional feature: support for AV1 format. From a report: Across all platforms, Firefox can now handle Google's WebP image format. WebP supports both lossy and lossless compression and promises the same image quality as existing formats at smaller file sizes. Firefox 65 for desktop brings redesigned controls for the Content Blocking section to let users choose their desired level of privacy protection. You can access it by either clicking on the small "i" icon in the address bar and clicking on the gear on the right side under Content Blocking or by going to Preferences, Privacy & Security, and then Content Blocking.

Next, Firefox now supports AV1, the royalty-free video codec developed by the Alliance for Open Media. AV1 improves compression efficiency by more than 30 percent over the codec VP9, which it is meant to succeed. Lastly, Firefox's new Task Manager page (just navigate to about:performance or find it under "Other" in the main menu) is complete. Introduced in Firefox 64, Task Manager now reports memory usage for tabs and add-ons.

An anonymous reader quotes a report from ZDNet: A Microsoft program manager has caused a stir on Twitter over the weekend by suggesting that Firefox-maker Mozilla should give up on its own rendering engine and move on with Chromium. "Thought: It's time for @mozilla to get down from their philosophical ivory tower. The web is dominated by Chromium, if they really 'cared' about the web, they would be contributing instead of building a parallel universe that's used by less than five percent?" wrote Kenneth Auchenberg, who builds web developer tools for Microsoft's Visual Studio Code.

Auchenberg's post referred to Mozilla's response to Microsoft's announcement in December that it would scrap Edge's EdgeHTML rendering engine for Chromium's. The move will leave Firefox's Gecko engine as the only alternative to Chromium, which is used by Opera and dozens of other browsers. Few people agreed with Auchenberg, including engineers from both Mozilla and Chromium. Long-serving Mozillian Asa Dotzler was not impressed. "Just because your employer gave up on its own people and technology doesn't mean that others should follow," Dotzler replied to Auchenberg. Auchenberg clarified that he didn't want to see Mozilla vanish, but said it should reorganize into a research institution "instead of trying to to justify themselves with the 'protectors of the web' narrative."

An anonymous reader shares a report: Despite a trade war between the United States and China and past admonishments from President Trump "to start building their damn computers and things in this country," Apple is unlikely to bring its manufacturing closer to home. A tiny screw illustrates why. [Editor's note: the link may be paywalled; alternative source.]

In 2012, Apple's chief executive, Timothy D. Cook, went on prime-time television to announce that Apple would make a Mac computer in the United States. It would be the first Apple product in years to be manufactured by American workers, and the top-of-the-line Mac Pro would come with an unusual inscription: "Assembled in USA." But when Apple began making the $3,000 computer in Austin, Tex., it struggled to find enough screws, according to three people who worked on the project and spoke on the condition of anonymity because of confidentiality agreements.

In China, Apple relied on factories that can produce vast quantities of custom screws on short notice. In Texas, where they say everything is bigger, it turned out the screw suppliers were not. Tests of new versions of the computer were hamstrung because a 20-employee machine shop that Apple's manufacturing contractor was relying on could produce at most 1,000 screws a day. The screw shortage was one of several problems that postponed sales of the computer for months, the people who worked on the project said. By the time the computer was ready for mass production, Apple had ordered screws from China.