macOS Archive
A third XProtect was discovered in Ventura, this time observing potentially malicious behaviour such as attempts to access private data for browsers and messaging apps. This XProtect Behaviour Service (XBS) has used a set of Bastion rules embedded in the strings in syspolicyd to record behaviours in a new database, but so far has been an observer and hasn’t blocked such behaviours. Security researchers have already been able to discover its records of novel malicious code, and Chris Long has documented how to access its database, but so far syspolicyd has only watched and recorded. Recent descriptions of Bastion rules have identified four, last updated in syspolicyd in macOS 13.5 on 24 July 2023. Those changed on 8 August, when Apple released its first update to the Bastion rules, and again a month later on 1 September, when they changed again. There’s now a fifth Bastion rule, and XBS appears to be getting ready to fly for the first time. If you had told me in 2005 or so, when I was a fervent Mac user, that one day, macOS would come with an extensive set of antivirus and antimalware tools that ran silently in the background, checking everything you do on your computer – I’d have thought you were crazy. But here we are.
I’ve been working off and on doing further Mac-ification to my updated fork of MacLynx, the System 7-compatible port of the venerable text browser Lynx for classic 68K Macintoshes (and Power Macs) running A/UX 3.x or System 7.x and later. There’s still more to do, but a lot has been worked in since I last dropped beta 4, so it’s time for another save point. Meet MacLynx “beta 5”. Extraordinary work, and a great way to keep an old Mac connected to the web.
macOS Catalina and later include an anti-malware scanning service, XProtect Remediator (XPR), that periodically checks your Mac for known malware. If it detects anything untoward, it tries to remove it in a process Apple terms remediation. Because this is all performed as a background service, XPR doesn’t inform you when it scans, or when it detects and remediates malware. Instead it records those events in the log, and in Ventura and later makes them available to third-party software through Endpoint Security events. To help you keep track of this, three of my utilities report on XPR: SilentKnight runs a quick check on the last 24 hours, as can Mints, and XProCheck provides detailed reports for periods of up to 30 days. Every few weeks I get a flurry of comments here, and emails, when those using XProCheck, or browsing the log, notice warnings and strange behaviour by XPR. This article explains what’s happening, and why it’s perfectly healthy. It seems absolutely bizarre to me that such malware scans just happen in the background without informing the user when it finds anything. That feels a lot like treating the symptoms while the patient’s sleeping, without informing them they’re sick.
31 years ago Tetris Max for the Macintosh was born, an improved clone of Tetris, and it became an insanely popular Mac game during the 1990s. I may or may not have had some involvement in its development. Macintosh System 6 was the current OS version at the time of the game’s release, but System 7 was introduced shortly afterwards. It’s recently come to my attention that the final version of Tetris Max (v2.9.1) may not work when running System 6 on certain Mac hardware, even though the game was advertised as System 6 compatible. I haven’t yet been able to fully verify this myself, but there’s a Macintosh Garden bug report from ironboy36 in 2022, and more recently a detailed bug report complete with video (thank you James!). Obviously I need to fix this stuff ASAP – 31-year-old bug be damned. And I need your help! Consider this a group debugging effort. This is such a cool story. If anyone can contribute to fixing this – please help them out.
One of the coolest things to come along in the 68K Mac homebrew community is the ROM Boot Disk concept. Classic Macs have an unusually large ROM that contains a fair bit of the Mac OS, which was true even in the G3 New World Mac era (it was just on disk), so it’s somewhat surprising that only one Mac officially could boot the Mac OS entirely from ROM, namely the Macintosh Classic (hold down Cmd-Option-X-O to boot from a hidden HFS volume with System 6.0.3). For many Macs that can take a ROM SIMM, you can embed a ROM volume in the Mac ROM that can even be mirrored to a RAM disk. You can even buy them pre-populated. How’s that for immutability?Well, it turns out Apple themselves were the first ones to implement a flashable Mac OS ROM volume in 1994, but hardly anyone noticed — because it was only ever used publicly in a minority subset of one of the most unusual of the Macintosh-derived systems, the Apple Interactive Television Box (a/k/a AITB or the Apple Set Top Box/STB). And that’s what we’re going to dig into — and reprogram! — today. I had never heard of this obscure Apple product, so I was like a kid in a candy store reading this. Great weekend material.
A year ago, we compiled a model list of Macs spanning over two decades, complete with their launch dates, discontinuation dates, and all the available information about the macOS updates each model received. We were trying to answer two questions: How long can Mac owners reasonably expect to receive software updates when they buy a new computer? And were Intel Macs being dropped more aggressively now that the Apple Silicon transition was in full swing? The answer to the second question was a tentative “yes,” and now that we know the official support list for macOS Sonoma, the trendline is clear. The only thing this article makes clear is that if Apple truly cared about its customers, it would post exactly how much longer each Mac is planned to be supported.
As some of us learned in the last week, it’s easy to uninstall a troublesome Rapid Security Response (RSR). Several naturally asked why that isn’t possible with a macOS update, pointing out that it was available and worryingly popular between High Sierra and Catalina 10.15.2, since when the ability has been lost. The answer is as straightforward as you’d expect: the updates themselves, as well as the update process, have become more complicated than they used to be, and rollback would be difficult to implement. As such, the advice for those unhappy with a new macOS version is as simple as it is disruptive: For those who decide that they want to roll back a macOS update on an Apple silicon Mac, by far the simplest procedure is to back the Mac up fully, put it into DFU mode, use Configurator 2 to restore the IPSW image for the previous version of macOS including its firmware, then to migrate the backup to that fresh boot disk. That also caters for all problems that may have arisen with the update. Apple always moves forwards, never backwards – even when you might want to.
The general trend of macOS releases over the past few years is that it has been moving closer and closer to the look and feel of iOS. The icons have become iOS icons, and their shape has become the iOS shape, and you can now use your iPhone as the Mac’s webcam, etc. etc. This occasionally comes at the expense of other functionality (ask me how I feel about the new Settings menu), but it is the direction that Apple has clearly been heading in since (arguably) Big Sur. Every so often, other splashy features are announced (Stage Manager, Universal Control, Quick Notes) that I write a lot about and then never end up using ever again. So, good news for Continuity fans: that’s basically what’s going on with Sonoma. Ventura looked a heck of a lot like iOS, and Sonoma looks even more like iOS. I turned my office’s Mac Studio on after installing the developer beta and thought, for a second, that I might be hallucinating my iPhone’s lockscreen. It’s remarkably reminiscent. It’s crazy how Microsoft always seems to be doing things about 10 years before everyone else catches on, for better or worse. I’m not a fan of the iOS look, and it looks whacky and childish to me when ported to the Mac – especially since macOS has also become almost Windows-like by having so many application frameworks, some from iOS, some from macOS, and some a weird combination of the two. It’s making macOS far messier and more inconsistent than it used to be, leaving the Linux desktop as the last bastion of people who value a dekstop-first, consistent interface. If you told me this 10-15 years ago, I’d have called you crazy, but we’re now living in a world where a GTK or QT desktop is far more consistent and focused on the desktop than Windows and macOS, which both feel lost in the woods at the moment.
macOS is fortunate to have access to the huge arsenal of standard Unix tools. There are also a good number of macOS-specific command-line utilities that provide unique macOS functionality. There’s some real cool stuff in here.
In this blog we’ll look at what it takes to construct an in-memory loader for Mach-O bundles within MacOS Ventura without using dyld. We’ll walk through the lower-level details of what makes up a Mach-O file, how dyld processes load commands to map areas into memory, and how we can emulate this to avoid writing payloads to disk. I also recommend reading this post alongside the code published here to fully understand the individual areas called out. In keeping with Apple’s migration to ARM architecture, this post will focus on the AARCH64 version of MacOS Ventura and XCode targeting macOS 12.0 and higher. With that said, let’s dig in. This is well beyond my pay grade, but I’m sure some of the more advanced macOS nerds among you will love this.
Apple today announced macOS Sonoma, the latest version of its Mac operating system. Launching this fall, macOS Sonoma includes several new features, including desktop widgets, Apple TV-like aerial screensavers, enhancements to apps like Messages and Safari, a new Game mode that prioritizes CPU and GPU performance for gaming, and more. Apple also showed off iOS 17, watchOS 10, and iPadOS 17. iOS 17 features personalized contact posters with photos, Memojis, and eye-catching typography that appear during calls and in the updated address book. A new Live Voicemail feature brings live-transcription in real-time, allowing old-school call screening. Users can now pick up the phone mid-voicemail and transcription is handled-on device. Developer betas will be available starting today, with the final releases expected in the Fall.
MacDock is like the Dock in modern macOS. To use it, simply launch the program. MacDock will be visible at the bottom of your screen. You will see your running applications on the list (limited to 7 applications). Clicking on any of them switches you to the app. I love little projects like these. Even today, they make using older systems just a little bit less alien.
While trying to fix my printer today, I discovered that a PDF copy of Satoshi Nakamoto’s Bitcoin whitepaper apparently shipped with every copy of macOS since Mojave in 2018. I’ve asked over a dozen Mac-using friends to confirm, and it was there for every one of them. The file is found in every version of macOS from Mojave (10.14.0) to the current version (Ventura), but isn’t in High Sierra (10.13) or earlier. A peculiar find indeed, considering the utter uselessness and wastefulness that is cryptocurrency.
A bit of background. When macOS Monterey was announced, Apple added an orange dot indicator that appears on top of everything whenever the microphone is in use. Kidding, it was quite a nice privacy addition actually. We could finally see in realtime when an app used the microphone, and what app that is. But this wasn’t something that everyone wanted. And so begins a detailed article about to hide the orange dot indicator. Can it be done without disabling System Integrity Protection?
While developing mirrord, which heavily relies on injecting itself into other people’s binaries, we ran into some challenges posed by macOS’s SIP (System Integrity Protection). This post details how we ultimately overcame these challenges, and we hope it can be of help to other people hoping to learn about SIP, as we’ve learned the hard way that there’s very little written about this subject on the internet. Potentially useful information for macOS developers.
One unfortunate fact of my life is that I have to deal with an obscure database whose macOS drivers require the addition of a directory to DYLD_LIBRARY_PATH for their Python driver to find them. To make matters worse, Apple’s CLI tools strip that variable away as part of macOS’s System Integrity Protection (SIP) before running a command. Given that DYLD_* environment variables are a known attack vector for Mac malware, that’s a good thing in general. However, sometimes one needs a workaround to get the job done. Some of this made sense to me.
Via Hackaday: We’re used to the so-called “Hackintoshes”, non-Apple hardware running MacOS. One we featured recently was even built into the case of a Nintendo Wii. But Dandu has gone one better than that, by running MacOS on an unmodified Wii, original Nintendo hardware (French, Google Translate link). How has this seemingly impossible task been achieved? Seasoned Mac enthusiasts will remember the days when Apple machines used PowerPC processors, and the Wii uses a PowerPC chip that’s a close cousin of those used in the Mac G3 series of computers. Since the Wii can run a Linux-based OS, it can therefore run Mac-on-Linux, providing in theory an environment in which it can host one of the PowerPC versions of MacOS. So it’s not really running MacOS 9.2.2 directly on the hardware, but it’s close enough. Impressive work.
I like to do some retro programming, but SheepShaver, the best Mac emulator out there, has a bug that makes copy and paste not function, so is kind of hard to use. I was recently made aware that there is a tool named mpw (lowercase) that emulates just enough of classic MacOS to run Apple’s MPW compiler suite’s command line tools on MacOS X. So I thought I’d give it a try and set that up. The audience for this is probably quite small, but information and tools like this are vital in keeping old platforms approachable for developers and enthusiasts.
TinyClock is a tiny true 5-arch universal Mac OS X single-binary GUI application. Single universal binary, that can be natively executed on every hardware platform Mac OS X was made for (32/64 bit, PowerPC/x86/AppleSilicon). Just fun.
FUSE-T is a kext-less implementation of FUSE for macOS that uses NFS v4 local server instead of a kernel extension. The main motivation for this project is to replace macfuse that implements its own kext to make fuse work. With each version of macOS it’s getting harder and harder to load kernel extensions. Apple strongly discourages it and, for this reason, software distributions that include macfuse are very difficult to install. With Apple locking down macOS more and more, developers have to resort to ingenious solutions to maintain the same level of functionality as before. This is an example of that.
