Days after Apple disclosed how it would be dealing with the Meltdown bug that affects modern computers, it's pushed out fixes for the Spectre exploit as well. From a report: iOS 11.2.2 includes "Security improvements to Safari and WebKit to mitigate the effects of Spectre," the company writes on its support page, while the macOS High Sierra 10.13.2 Supplemental Update does the same for your Mac laptop or desktop. Installing this update on your Mac will also update Safari to version 11.0.2.

Popular repair site iFixit has acquired an iMac Pro and opened it up to see what's inside. They tore down the base iMac Pro with an 8-core processor, 32GB of RAM, and a 1TB SSD. Mac Rumors reports the findings: iFixit found that the RAM, CPU, and SSDs in the iMac Pro are modular and can potentially be replaced following purchase, but most of the key components "require a full disassembly to replace." Standard 27-inch iMacs have a small hatch in the back that allows easy access to the RAM for post-purchase upgrades, but that's missing in the iMac Pro. Apple has said that iMac Pro owners will need to get RAM replaced at an Apple Store or Apple Authorized Service Provider. iFixit says that compared to the 5K 27-inch iMac, replacing the RAM in the iMac Pro is indeed "a major undertaking."

Apple is using standard 288-pin DDR4 ECC RAM sticks with standard chips, which iFixit was able to upgrade using its own $2,000 RAM upgrade kit. A CPU upgrade is "theoretically possible," but because Apple uses a custom-made Intel chip, it's not clear if an upgrade is actually feasible. The same goes for the SSDs -- they're modular and removable, but custom made by Apple. Unlike the CPU, the GPU is BGA-soldered into place and cannot be removed. The internals of the iMac Pro are "totally different" from other iMacs, which is unsurprising as Apple said it introduced a new thermal design to accommodate the Xeon-W processors and Radeon Pro Vega GPUs built into the machines. The new thermal design includes an "enormous" dual-fan cooler, what iFixit says is a "ginormous heat sink," and a "big rear vent." Overall, iFixit gave the iMac Pro a repairability score of 3/10 since it's difficult to open and tough to get to internal components that might need to be repaired or replaced.

An anonymous reader shares a report: A serious design flaw and security vulnerability discovered in Intel CPUs has reportedly already been partially addressed by Apple in the recent macOS 10.13.2 update, which was released to the public on December 6. According to developer Alex Ionescu, Apple introduced a fix in macOS 10.13.2, with additional tweaks set to be introduced in macOS 10.13.3, currently in beta testing. AppleInsider also says that it has heard from "multiple sources within Apple" that updates made in macOS 10.13.2 have mitigated "most" security concerns associated with the KPTI vulnerability. A Bloomberg reporter pointed out that Apple has not officially commented on the story.

A reader shares a blog post that talks about why Mac running High Sierra 10.13.2 (and other versions near it) refuses to let users uninstall some third-party applications easily. For instance, when users attempt to uninstall BlueStacks, an Android emulator, the Finder shows this warning: "The operation can't be completed because you don't have the necessary permission." The blog post looks into the subject: The moment that we see the word permission, all becomes clear: it's a permissions problem. So the next step is to select the offending item in the Finder, press Command-I to bring up the Get Info dialog, and change the permissions. It does, though, leave the slight puzzle as to why the Finder didn't simply prompt for authentication instead of cussedly refusing. Sure enough, after trying that, the app still won't go and the error message is unchanged. Another strange thing about this 'app' is that it's not an app at all. Tucked away in a mysterious folder, new to High Sierra, in /Library/StagedExtensions/Applications, its icon is defaced to indicate that the user can't even run it. Neither did the user install it there. Trying to remove it using a conventional Terminal command sudo rm -rf /Library/StagedExtensions/Applications/BlueStacks.app also fails, with the report Operation not permitted.

After apologizing to customers for slowing older iPhones down as the batteries degrade, Apple has started offering battery swaps for $29. This has led to some confusion as Apple did not clarify how it qualified batteries as eligible for the discounted replacement, as the Apple Genius Bar uses a diagnostic test to check whether a battery can retain 80 percent of its original capacity at 500 complete charge cycles. According to Mac Rumors, Apple has confirmed that they will replace the battery if your iPhone 6 or later even if it passes a Genius Bar diagnostic test. From the report: Apple has since independently confirmed to MacRumors that it will agree to replace an eligible battery for a $29 fee, regardless of whether an official diagnostic test shows that it is still able to retain less than 80 percent of its original capacity. The concession appears to have been made to mollify the anger of customers stoked by headlines suggesting that Apple artificially slows down older iPhones to drive customers to upgrade to newer models. Anecdotal reports also suggest that customers who paid $79 to have their battery replaced before the new pricing came into effect on Saturday, December 30, will receive a refund from Apple upon request.

An anonymous reader shares a report: On the last day of 2017, a security researcher going online by the pseudonym of Siguza published details about a macOS vulnerability affecting all Mac operating system versions released since 2002, and possibly earlier. Siguza did not notify Apple in advance, so at the time of writing, there is no fix for this flaw. Despite the doom and gloom, the vulnerability is only a local privilege escalation (LPE) flaw that can only be exploited with local access to a computer or after an attacker has already got a foothold on a machine. The vulnerability grants root access to an attacker. The issue affects the IOHIDFamily macOS kernel driver, a component that handles various types of user interactions. Siguza said he read about various flaws in this component and took a look at it to find new ways to compromise iOS, Apple's mobile operating system, where IOHIDFamily is also deployed. The expert says he found the LPE flaw in the IOHIDFamily code specific to macOS versions only. In a tweet, Siguza said, "My primary goal was to get the write-up out for people to read. I wouldn't sell to blackhats because I don't wanna help their cause. I would've submitted to Apple if their bug bounty included macOS, or if the vuln was remotely exploitable.

An Italian clothing company that uses the name "Steve Jobs" as its brand will be able to continue using the moniker after winning a multi-year legal battle, reports Italian site la Repubblica Napoli. Mac Rumors reports: Brothers Vincenzo and Giacomo Barbato named their clothing brand "Steve Jobs" in 2012 after learning that Apple had not trademarked his name. "We did our market research and we noticed that Apple, one of the best known companies in the world, never thought about registering its founder's brand, so we decided to do it," the two told la Repubblica Napoli. The Barbatos designed a logo that resembles Apple's own, choosing the letter "J" with a bite taken out of the side. Apple, of course, sued the two brothers for using Jobs' name and a logo that mimics the Apple logo. In 2014, the European Union's Intellectual Property Office ruled in favor of the Barbatos and rejected Apple's trademark opposition. While the outcome of the legal battle was decided in 2014, Vincenzo and Giacomo Barbato have been unable to discuss the case until now, as their claim on the brand was not settled until 2017. The two told la Repubblica Napoli that Apple went after the logo, something that may have been a mistake. The Intellectual Property Office decided that the "J" logo that appears bitten was not infringing on Apple's own designs as a letter is not edible and thus the cutout in the letter cannot be perceived as a bite. The report goes on to note that the company plans to produce electronic devices under the Steve Jobs brand.

Amazon is planning to retire its Music storage subscription service, the plan that enabled Amazon customers to upload their own music to the company's servers. From a report: Amazon Music Storage subscription plans, which let users upload music from their Mac or PC and stream them alongside the in-app on-demand and radio options, will be accepted until Jan. 15, 2018. Then, the service will run until January 2019, when it will be removed entirely. As of Monday this week, free plans -- which allow for 250 songs to be stored in the cloud -- are no longer able to upload new music to their MP3 locker.

An anonymous reader shares a Bloomberg report: Apple's iPhone and iPad introduced a novel way of interacting with computers: via easy-to-use applications, accessible in the highly curated App Store. The same approach hasn't worked nearly as well on Apple's desktops and laptops. The Mac App Store is a ghost town of limited selection and rarely updated programs. Now Apple plans to change that by giving people a way to use a single set of apps that work equally well across its family of devices: iPhones, iPads and Macs. Starting as early as next year, software developers will be able to design a single application that works with a touchscreen or mouse and trackpad depending on whether it's running on the iPhone and iPad operating system or on Mac hardware, according to people familiar with the matter. Developers currently must design two different apps -- one for iOS, the operating system of Apple's mobile devices, and one for macOS, the system that runs Macs. With a single app for all machines, Mac, iPad and iPhone users will get new features and updates at the same time.

Zack Whittaker, writing for ZDNet: The maker of a sneaky adware that hijacks a user's browser to serve ads is back with a new, more advanced version -- one that can gain root privileges and spy on the user's activities. News of the updated adware dropped Tuesday in a lengthy write-up by Amit Serper, principal security researcher at Cybereason. The adware, dubbed OSX.Pirrit, is still highly active, infecting tens of thousands of Macs, according to Serper, who has tracked the malware and its different versions for over a year. Serper's detailed write-up is well worth the read. [...] TargetingEdge sent cease-and-desist letters to try to prevent Serper from publishing his research. "We've received several letters over the past two weeks," Serper told ZDNet. "We decided to publish anyway because we're sick of shady 'adware' companies and their threats."

A medium-sized company just hired a new IT manager who wants advice from the Slashdot community about their two remaining IT "gofers": These people have literally been here their entire "careers" and are now near retirement. Quite honestly, they do not have any experience other than reinstalling Windows, binding something to the domain and the occasional driver installation -- and are more than willing to admit this. Given many people are now using Macs and most servers/workstations are running Linux, they have literally lost complete control over the company, with most of these machines sitting around completely unmanaged.

Firing these people is nearly impossible. (They have a lot of goodwill within other departments, and they have quite literally worked there for more than 60 years combined.) So I've been tasked with attempting to retrain these people in the next six months. Given they still have to do work (imaging computers and fixing basic issues), what are the best ways of retraining them into basic network, Windows, Mac, Linux, and "cloud" first-level help desk support?
Monster_user had some suggestions -- for example, "Don't overtrain. Select and target areas where they will be able to provide a strong impact." Any other good advice?

Leave your best answers in the comments. What's the best way to retrain old IT workers?

An anonymous reader quotes a report from Android Police: The Chrome Web Store originally launched in 2010, and serves a hub for installing apps, extensions, and themes packaged for Chrome. Over a year ago, Google announced that it would phase out Chrome apps on Windows, Mac, and Linux in 2018. Today, the company sent out an email to developers with additional information, as well as news about future Progressive Web App support. The existing schedule is mostly still in place -- Chrome apps on the Web Store will no longer be discoverable for Mac, Windows, and Linux users. In fact, if you visit the store right now on anything but a Chromebook, the Apps page is gone. Google originally planned to remove app support on all platforms (except Chrome OS) entirely by Q1 2018, but Google has decided to transition to Progressive Web Apps:

"The Chrome team is now working to enable Progressive Web Apps (PWAs) to be installed on the desktop. Once this functionality ships (roughly targeting mid-2018), users will be able to install web apps to the desktop and launch them via icons and shortcuts; similar to the way that Chrome Apps can be installed today. In order to enable a more seamless transition from Chrome Apps to the web, Chrome will not fully remove support for Chrome Apps on Windows, Mac or Linux until after Desktop PWA installability becomes available in 2018. Timelines are still rough, but this will be a number of months later than the originally planned deprecation timeline of 'early 2018.' We also recognize that Desktop PWAs will not replace all Chrome App capabilities. We have been investigating ways to simplify the transition for developers that depend on exclusive Chrome App APIs, and will continue to focus on this -- in particular the Sockets, HID and Serial APIs."

Mark Wilson writes: A few days ago, a serious security flaw with macOS High Sierra came to light. It was discovered that it was possible to log into the 'root' account without entering a password, and -- although the company seemed to have been alerted to the issue a couple of weeks back -- praise was heaped on Apple for pushing a fix out of the door quickly. But calm those celebrations. It now transpires that the bug fix has a bug of its own. Upgrade to macOS 10.13.1 and you could well find that the patch is undone. Slow hand clap.

John Gruber, reporting for DaringFireball: It's natural to speculate how a bug as egregious as the now-fixed High Sierra root login bug could escape notice for so long. It seems to have been there ever since High Sierra 10.3.0 shipped on September 25, and may have existed in the betas through the summer. One explanation is that logging in with the username "root" and a blank password is so bizarre that it's the sort of thing no one would think to try. More insidious though, is the notion that it might not have escaped notice prior to its widespread publicization yesterday -- but that the people who had heretofore discovered it kept it to themselves. This exploit was in fact posted to Apple's own support forums on November 13. It's a bizarre thread. The thread started back on June 8 when a user ran into a problem after installing the WWDC developer beta of High Sierra.

Apple said on Wednesday it would review its software development process after scrambling to patch a serious bug it learned of on Tuesday in its macOS operating system for desktop and laptop computers. From a report: "We greatly regret this error and we apologize to all Mac users, both for releasing with this vulnerability and for the concern it has caused," Apple said in a statement. "Our customers deserve better. We are auditing our development processes to help prevent this from happening again."

An anonymous reader quotes a report from The Register: A trivial-to-exploit flaw in macOS High Sierra, aka macOS 10.13, allows users to gain admin rights, or log in as root, without a password. The security bug is triggered via the authentication dialog box in Apple's operating system, which prompts you for an administrator's username and password when you need to do stuff like configure privacy and network settings. If you type in "root" as the username, leave the password box blank, hit "enter" and then click on unlock a few times, the prompt disappears and, congrats, you now have admin rights. You can do this from the user login screen. The vulnerability effectively allows someone with physical access to the machine to log in, cause extra mischief, install malware, and so on. You should not leave your vulnerable Mac unattended until you can fix the problem. And while obviously this situation is not the end of the world -- it's certainly far from a remote hole or a disk decryption technique -- it's just really, really sad to see megabucks Apple drop the ball like this. Developer Lemi Orhan Ergan was the first to alert the world to the flaw. The Register notes: "If you have a root account enabled and a password for it set, the black password trick will not work. So, keep the account enabled and set a root password right now..."

An anonymous reader quotes a report from Ars Technica: Press clover-space on a Mac (aka apple-space or command-space to Apple users) and you get a search box slap bang in the middle of the screen; type things into it and it'll show you all the things it can find that match. On Windows, you can do the same kind of thing -- hit the Windows key and then start typing -- but the results are shown in the bottom left of your screen, in the Start menu or Cortana pane. The latest insider build of Windows, build 17040 from last week, has a secret new search interface that looks a lot more Mac-like. Discovered by Italian blog Aggiornamenti Lumia, set a particular registry key and the search box appears in the middle of the screen. The registry key calls it "ImmersiveSearch" -- hit the dedicated key, and it shows a simple Fluent-designed search box and results. This solution looks and feels a lot like Spotlight on macOS.

According to Apple firmware gurus Steven Troughton-Smith and Guilherme Rambo, the upcoming iMac Pro will feature an A10 Fusion coprocessor to enable two interesting new features. "The first is the ability for the iMac Pro to feature always-on 'Hey, Siri' voice command support, similar to what's currently available on more recent iPhone devices," reports The Verge. "[T]he bigger implication of the A10 Fusion is for a less user-facing function, with Apple likely to use the coprocessor to enable SecureBoot on the iMac Pro." From the report: In more practical terms, it means that Apple will be using the A10 Fusion chip to handle the initial boot process and confirm that software checks out, before passing things off to the regular x86 Intel processor in your Mac. It's not something that will likely change how you use your computer too much, like the addition of "Hey, Siri" support will, but it's a move toward Apple experimenting with an increased level of control over its software going forward.

Yesterday, Mozilla launched Firefox 57 for Windows, Mac, Linux, Android, and iOS. It brings massive performance improvements as it incorporates the company's next-generation browser engine called Project Quantum; it also features a visual redesign and support for extensions built using the WebExtension API. Have you used Firefox's new browser? Does it offer enough to make you switch from your tried-and-true browser of choice? We'd love to hear your thoughts.

An anonymous reader writes: Mozilla today launched Firefox 57, branded Firefox Quantum, for Windows, Mac, Linux, Android, and iOS. The new version, which Mozilla calls "by far the biggest update since Firefox 1.0 in 2004," brings massive performance improvements and a visual redesign. The Quantum name signals Firefox 57 is a huge release that incorporates the company's next-generation browser engine (Project Quantum). The goal is to make Firefox the fastest and smoothest browser for PCs and mobile devices -- the company has previously promised that users can expect "some big jumps in capability and performance" through the end of the year. Indeed, three of the four past releases (Firefox 53, Firefox 54, and Firefox 55) included Quantum improvements. But those were just the tip of the iceberg. Additionally, Firefox now exclusively supports extensions built using the WebExtension API, and unsupported legacy extensions will no longer work, the company said.