Hacker News new | ask | show | jobs
by concinds 639 days ago
Some other things that devs should know about Sequoia:

- If you're sticking to Sonoma for stability, be aware Apple doesn't backport all security patches. Apple's release notes show 79 security issues fixed in Sequoia, and only 37 fixed in Sonoma 14.7. Maybe some vulns were only introduced in the Sequoia betas, but based on previous years, that's mostly not the case. Apple only keeps you safe on the latest version.

- macOS Sequoia, released days ago, still includes vulnerable years-old binaries like LibreSSL 3.3.6, curl 8.7.1, and python 3.9.6. https://www.intego.com/mac-security-blog/apple-still-leaving... (I've tested it's still true on the final 15.0)
2 comments
dspillett 638 days ago
> Apple's release notes show 79 security issues fixed in Sequoia, and only 37 fixed in Sonoma 14.7.

Not an Apple fan myself (don't touch the stuff at all) but my first thought there would be to check if the "missing" fixes are for things broken in the new release that don't need fixing in the prior one.

> still includes vulnerable years-old binaries

Are these stock builds, so definitely have the problems you are concerned about, or could there be security updates backported as Debian do with older versions in their stable release?

link
whiterknight 639 days ago
I promise, you will be just fine without the security updates.
link
drawnwren 639 days ago
This is probably misguided. Apple includes the OS version number in the user agent, so an attacker can actually pay to have code delivered only to users with vulnerable versions of MacOS. (advertising marketplaces allow bidding by user agent)
link
whiterknight 638 days ago
Are you thinking of a safari exploit that allows JavaScript to get out of the safari process? What’s the attack scenario?
link
threeseed 639 days ago
The user agent is defined by the browser.

And it only contains: Intel Mac OS X 10_15_7 irrespective of what Mac you are using.

link
drawnwren 639 days ago
I’m seeing Mozilla/5.0 (Macintosh; Intel Mac OS X 14_7). What do you think the 14_7 stands for on MacOS 14.7?
link
koito17 639 days ago
I currently use M3 Max MacBook Pro. Mac OS 14.6.1(23G93).

Firefox 130.0.1

  "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0"
Safari 17.6

  "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.6 Safari/605.1.15"
Seems like a Google Chrome-specific behavior, but I don't have Google Chrome installed to test.
link
threeseed 638 days ago
> Intel Mac OS X 10_15_7.

This is on an M4 MacBook Pro running 15.0.

So not correct.

link
BrutalCoding 638 days ago
Heya, I couldn’t find a way to contact you privately but I’d assume you want to delete your comment until (presumably) next month! Correct me if I’m wrong tho :)

Alternatively, a mod could help to edit it instead

link