Apple has just released its weekly update to XProtect for all supported versions of macOS, bringing it to version 5313. As usual, Apple doesn’t release information about what security issues this update might add or change.
This version adds 4 new rules for components of MACOS.MISOMESA and 7 for MACOS.MISOMAGIC, both new codenames in the Yara file, it also adds a new rule for MACOS.SOMA.AUENC, another Soma/Amos component, and amends the existing detection rule for MACOS.DUBROBBER.CHBI.
You can check whether this update has been installed by opening System Information via About This Mac, and selecting the Installations item under Software.
A full listing of security data file versions is given by SilentKnight and SystHist for El Capitan to Tahoe available from their product page. If your Mac hasn’t yet installed this update, you can force it using SilentKnight or at the command line.
If you want to install this as a named update in SilentKnight, its label is XProtectPlistConfigData_10_15-5313
Sequoia and Tahoe systems only
This update has now been released for Sequoia and Tahoe via iCloud. If you want to check it manually, use the Terminal command sudo xprotect check
then enter your admin password. If that returns version 5313 but your Mac still reports an older version is installed, you may be able to force the update using sudo xprotect update
Apple has just released its weekly update to XProtect for all supported versions of macOS, bringing it to version 5312. As usual, Apple doesn’t release information about what security issues this update might add or change.
This version adds three new detection rules: MACOS.SOMA.AUENB augmenting rules for the Soma/Amos family, MACOS.DUBROBBER.CHBI for another Dubrobber variant, and MACOS.ODYSSEY.LELI for an additional Odyssey variant.
You can check whether this update has been installed by opening System Information via About This Mac, and selecting the Installations item under Software.
A full listing of security data file versions is given by SilentKnight and SystHist for El Capitan to Tahoe available from their product page. If your Mac hasn’t yet installed this update, you can force it using SilentKnight or at the command line.
If you want to install this as a named update in SilentKnight, its label is XProtectPlistConfigData_10_15-5312
Sequoia and Tahoe systems only
This update has now been released for Sequoia via iCloud. If you want to check it manually, use the Terminal command sudo xprotect check
then enter your admin password. If that returns version 5312 but your Mac still reports an older version is installed, you may be able to force the update using sudo xprotect update
1.Health Features - Earlier this year, Apple released the Powerbeats Pro 2 with heart rate monitoring, and that functionality is expected for the AirPods Pro 3 too. Temperature sensing is also a possibility. The Apple Watch can detect skin temperature, but that's not accurate for fevers. In-ear temperature readings would provide more useful data.
2.Audio Quality Upgrade - Apple is upgrading the H-series chip that's in the AirPods, which is likely to bring improved audio quality. The AirPods Pro 2 support Lossless Audio when paired with Vision Pro thanks to a proprietary wireless audio protocol, and Apple could expand that to other devices. The AirPods Pro 3 could adopt Bluetooth 5.4 for better audio latency.
3.Better Active Noise Cancellation - The H3 chip will allow for even faster on-device processing for improved Active Noise Cancellation and better Adaptive Audio. The H2 chip in the AirPods Pro 2 actively reduces louder, intermittent noise at 48,000 times per second to cut down on environmental noise exposure, and an upgraded H-series chip could do even better.
4.Refreshed Design - Apple is going to update the design of the AirPods Pro 3. The AirPods 4 got a slimmed down case, a hidden capacitive pairing button, and a concealed LED, so we could see those same changes with the next AirPods Pro. The earbuds could get a design overhaul too, and upgrade possibilities include a smaller in-ear piece and a shorter stem.
5.Updated Tracking - The AirPods Pro 3 are likely to get Apple's second-generation Ultra Wide Band (UWB) chip for more precise tracking using the Find My app.
As we near the end of Tahoe’s incubation period, and Apple’s engineers code its last fixes and tweaks ready for its launch in just a few weeks, I’d like to reflect on what macOS 26 has to offer beyond its marketing headlines.
While there are several worthwhile new features such as the Phone app, Magnifier, and live translation, there’s nothing to compare with the fundamental changes in recent versions of macOS that brought the SSV, Shortcuts, System Settings and Apple Intelligence. Instead Tahoe is overwhelmingly about its human interface.
Every new design of the Mac’s operating systems that I can recall has elicited outcry from many. Understandably, the majority almost invariably want constancy, the same Finder and app icons that we’ve become so familiar with. It’s only human. It’s also a sure route to what others will condemn as stale, as it hasn’t been refreshed for so many years.
Personally, I don’t like to see a design on my Mac. If I notice it, then it’s a distraction. I’d much prefer to have an interface as clean as the whistles of the late Classic Mac OS period: lean, purposeful and lacking in visual trickery or frippery. But I accept that, without all the adornments and animations, many today would wonder why their Mac needed a GPU. I confess that I was never a fan of the original Aqua interface either. Given that its declared goal was to “incorporate colour, depth, translucence, and complex textures into a visually appealing interface”, I wonder whether much the same could be said of Tahoe.
Perhaps the most striking feature of this redesign is its lack of contrast between elements and tools in window controls and their contents, whether its appearance is set to light or dark mode, or one of its new in-between variants. You can see this clearly in most screenshots of Tahoe, such as those posted by Apple, and as far as I can see it hasn’t improved during beta-testing. This is also universal, and isn’t confined to apps using the more novel SwiftUI, although I have to keep pinching my thigh to remind myself that SwiftUI is now six years old, only two years younger than APFS. The contrast in stability and maturity between the two couldn’t be greater.
You can of course ‘improve’ contrast by enabling Reduce Transparency in Accessibility settings, but in doing so you lose most if not all of Tahoe’s Liquid Glass effects, as they depend on the transparency you’ve just turned off.
Transparency is a good example of design being given priority over readability or content. Because the appearance of the upper layer containing controls or content depends on what is underneath, it’s down to chance whether the greyed text you’re struggling to read happens to be over a background that further reduces its contrast. In the worst case, you could find yourself having to move a window so you can read part of it clearly, not a sign of a good human interface.
My other major concern with Tahoe’s new look is that it seems not to recognise the differences between Macs, iPads and iPhones, in terms of displays, input controls, and apps. Rather than sameness, I’d much rather have consistency that recognises the difference between manipulating Xcode’s compound windows containing dense structured text on a 27-inch display, and checking a family photo filling the 6.1-inch display of an iPhone.
One of my favourite controls in macOS is the Combo Box, a versatile and elegant hybrid of the popup/dropdown/pulldown menu/button and a text entry box. I can’t recall seeing one used in iOS, as it would be clumsy and inappropriate. It’s well supported for macOS in AppKit but hasn’t yet been implemented in SwiftUI. If controls are going to be common across all Apple’s operating systems, then macOS is about to lose one of its best.
It seemed only appropriate that, in the weeks before Apple releases OS 26 across Macs and devices, Tim Cook should go to the White House to pay its corporate tribute in a block of materialised Liquid Glass mounted on pure bling. But the image that I keep thinking of in fear, is that of Elon Musk demonstrating the resilience of his Cybertruck’s window by throwing a metal ball at it, in November 2019. I just hope Tahoe’s Liquid Glass doesn’t go the same way.
Apple has just released urgent security updates to bring macOS Sequoia to 15.6.1, Sonoma to 14.7.8, and Ventura to 13.7.8.
Security release notes for these are already available, for 15.6.1, 14.7.8 and 13.7.8 Each refers to the same single vulnerability in ImageIO, which is apparently being exploited “in an extremely sophisticated attack against specific targeted individuals” using a crafted image file.
The download for 15.6.1 is about 1.56 GB for an Apple silicon Mac, and should be well under 1 GB for Intel. Time to update!
Apple has just released an update to XProtect for all supported versions of macOS, bringing it to version 5311. As usual, Apple doesn’t release information about what security issues this update might add or change.
This version adds eight new detection rules, for MACOS.BANSHEE.MA, MACOS.BANSHEE.MA2, MACOS.SOMA.GEGO, MACOS.POSEIDON.B, MACOS.TIMELYTURTLE.FUNA, MACOS.TIMELYTURTLE, MACOS.TIMELYTURTLE.INDRBYSE and MACOS.TIMELYTURTLE.INDR. Banshee, Poseidon and TimelyTurtle are new names in XProtect’s Yara rules.
You can check whether this update has been installed by opening System Information via About This Mac, and selecting the Installations item under Software.
A full listing of security data file versions is given by SilentKnight and SystHist for El Capitan to Tahoe available from their product page. If your Mac hasn’t yet installed this update, you can force it using SilentKnight or at the command line.
If you want to install this as a named update in SilentKnight, its label is XProtectPlistConfigData_10_15-5311
Sequoia and Tahoe systems only
This update has already been released for Sequoia via iCloud. If you want to check it manually, use the Terminal command sudo xprotect check
then enter your admin password. If that returns version 5311 but your Mac still reports an older version is installed, you may be able to force the update using sudo xprotect update
Apple has just released an update to XProtect for all supported versions of macOS, bringing it to version 5310. As usual, Apple doesn’t release information about what security issues this update might add or change.
This version adds a single new detection rule for MACOS.SOMA.AUENA, further extending its coverage of Soma/Amos.
You can check whether this update has been installed by opening System Information via About This Mac, and selecting the Installations item under Software.
A full listing of security data file versions is given by SilentKnight and SystHist for El Capitan to Tahoe available from their product page. If your Mac hasn’t yet installed this update, you can force it using SilentKnight or at the command line.
If you want to install this as a named update in SilentKnight, its label is XProtectPlistConfigData_10_15-5310
Sequoia systems only
This update has already been released for Sequoia via iCloud. If you want to check it manually, use the Terminal command sudo xprotect check
then enter your admin password. If that returns version 5310 but your Mac still reports an older version is installed, you may be able to force the update using sudo xprotect update
Apple has just released updates to XProtect for all supported versions of macOS, bringing it to version 5309, and to XProtect Remediator for all macOS from Catalina onwards, to version 153. As usual, Apple doesn’t release information about what security issues these updates might add or change.
Yara definitions in this version of XProtect add a single new detection rule for MACOS.SOMA.JUENB, part of the Soma/Amos family.
XProtect Remediator doesn’t change the list of scanner modules.
There are extensive changes to the Bastion rules, which add a new definition for common system binaries, extend Rule 1 coverage to include support folders for more browsers, tweak Rules 3 and 14-17, and add new Rules 18-24.
You can check whether these updates have been installed by opening System Information via About This Mac, and selecting the Installations item under Software.
A full listing of security data file versions is given by SilentKnight and SystHist for El Capitan to Tahoe available from their product page. If your Mac hasn’t yet installed this update, you can force it using SilentKnight or at the command line.
If you want to install these as named updates in SilentKnight, their labels are XProtectPayloads_10_15-153 and XProtectPlistConfigData_10_15-5309.
Sequoia and Tahoe systems only
The XProtect update has already been released for Sequoia and Tahoe via iCloud. If you want to check it manually, use the Terminal command sudo xprotect check
then enter your admin password. If that returns version 5304 but your Mac still reports an older version is installed, you may be able to force the update using sudo xprotect update
Since writing A brief history of local search, I have come across numerous patents awarded to Apple and its engineers for the innovations that have led to Spotlight. This more detailed account of the origins and history of Spotlight uses those primary sources to reconstruct as much as I can at present.
1990
ON Technology, Inc. released On Location, the first local search utility for Macs, a Desk Accessory anticipating many of the features to come in Spotlight 15 years later. This indexed text found in the data fork of files, using format-specific importer modules to access those written by Microsoft Word, WordPerfect, MacWrite and other apps of the day. Those files and their indexed contents were then fully searchable. This required System Software 6.0 or later, and a Mac with a hard disk and at least 1 MB of RAM. It was developed by Roy Groth, Rob Tsuk, Nancy Benovich, Paul Moody and Bill Woods.
1991
Version 2 of On Location was released. ON Technology was later acquired by Network Corporation, then by Symantec in 2003.
1994
AppleSearch was released, and bundled in Workgroup Servers. This was based on a client-server system running over AppleShare networks. September’s release of System Software 7.5 introduced a local app Find File, written by Bill Monk.
1998
Sherlock was released in Mac OS 8.5. This adopted a similar architecture to AppleSearch, using a local service that maintained indexes of file metadata and content, and a client app that passed queries to it. This included remote search of the web through plug-ins working with web search engines, as they became available.
Early patent applications were filed by Apple’s leading engineers who were working on Sherlock, including US Patent 6,466,901 B1 filed 30 November 1998 by Wayne Loofbourrow and David Cásseres, for a Multi-language document search and retrieval system.
1999
Sherlock 2 was released in Mac OS 9.0. This apparently inspired developers at Karelia Software to produce Watson, ‘envisioned as Sherlock’s “companion” application, focusing on Web “services” rather than being a “search” tool like Sherlock.’
2000
On 5 January, Yan Arrouye and Keith Mortensen filed what became Apple’s US Patent 6,847,959 B1 for a Universal Interface for Retrieval of Information in a Computer System. This describes the use of multiple plug-in modules for different kinds of search, in the way that was already being used in Sherlock. Drawings show that it was intended to be opened using an item on the right of the menu bar, there titled [GO-TO] rather than using the magnifying glass icon of Sherlock or Spotlight. This opened a search dialog resembling a prototype for Spotlight, and appears to have included ‘live’ search conducted as letters were typed in.
Mac OS X Jaguar brought Sherlock 3, which many considered had an uncanny resemblance to Watson. That resulted in acrimonious debate.
2005
In preparation for the first Intel Macs, Mac OS X 10.4 Tiger, released in April 2005, introduced Spotlight as a replacement for Sherlock, which never ran on Intel Macs.
Initially, the Spotlight menu command dropped down a search panel as shown here, rather than opening a window as it does now.
2006
On 4 August, John M Hörnkvist and others filed what became US Patent 7,783,589 B2 for Inverted Index Processing, for Apple. This was one of a series of related patents concerning Spotlight indexing. Just a week later, on 11 August, Matthew G Sachs and Jonathan A Sagotsky filed what became US Patent 7,698,328 B2 for User-Directed search refinement.
A Finder search window, precursor to the modern Find window, is shown in the lower left of this screenshot taken from Tiger in 2006.
2007
Spotlight was improved in Mac OS 10.5 Leopard, in October. This extended its query language, and brought support for networked Macs that were using file sharing.
This shows a rather grander Finder search window from Mac OS X 10.5 Leopard in 2009.
2014
Search attributes available for use in the search window are shown here in OS X 10.9 Mavericks, in 2014.
In OS X 10.10 Yosemite, released in October, web and local search were merged into ‘global’ Spotlight, the search window that opens using the Spotlight icon at the right end of the menu bar, accompanied by Spotlight Suggestions.
2015
John M Hörnkvist and Gaurav Kapoor filed what was to become US Patent 10,885,039 B2 for Machine learning based search improvement, which appears to have been the foundation for Spotlight Suggestions, in turn becoming Siri Suggestions in macOS Sierra. Those were accompanied by remote data collection designed to preserve the relative anonymity of the user.
This shows a search in Global Spotlight in macOS 10.12 Sierra, in 2017.
c 2019
Apple acquired Laserlike, Inc, whose technology (and further patents) has most probably been used to enhance Siri Suggestions. Laserlike had already filed for patents on query pattern matching in 2018.
I’m sure there’s a great deal more detail to add to this outline, and welcome any additional information, please.
4 August 2025: I’m very grateful to Joel for providing me with info and links for On Location, which I have incorporated above.
Plenty of great apps have been created using the Mac’s scripting languages, but commercial developers have largely relied on compiled languages used and supported by Apple for app and system development. Over the years those have included Object Pascal, C/C++, Objective-C and most recently Swift. This article provides a brief overview of how those changed.
Lisa Clascal (1984-86)
Following Apple’s use of UCSD Pascal on Apple II computers, when the Lisa was being developed its primary language was Lisa Pascal. Apple was also working on the novel object-oriented language Smalltalk which originated in Xerox’s PARC in 1969, but its syntax was unfamiliar and performance was poor. Lisa Pascal was therefore developed into Clascal, dividing code into distinct interface and implementation sections, with classes, subclasses, methods and inheritance.
During the first couple of years, software for the Mac was thus developed using Clascal on Lisa systems.
Object Pascal (1986-91)
In 1984-85, Larry Tesler and supporting engineers in Apple (including Barry Haynes, Ken Doyle and Larry Rosenstein) worked with Niklaus Wirth, the inventor of Pascal, to develop Clascal into Object Pascal, the primary language for Mac development. With this, they also developed the first version of the MacApp class library that provided a framework to support common application features including the Mac’s GUI.
These were released together in September 1986, in Macintosh Programmer’s Workshop (MPW), which was adopted as the standard development environment for the Mac, both in-house and for third-parties. At that time, the only compiled language supported by MPW was Object Pascal, and it wasn’t until the following summer that the first beta of its C/C++ compiler was released with MPW 2.0. That was developed by Greenhills, but Object Pascal remained the more widely used, particularly in combination with MacApp, also written in Object Pascal. Major developers including Adobe created early versions of their products using Object Pascal and MacApp, perhaps the most famous example being Adobe Photoshop.
At the same time, Think Technologies released the first popular third-party compiler, LightSpeed C, in 1986. This soon became THINK C, gained C++ support, was joined by THINK Pascal, and was bought by Symantec. Borland ported its Turbo Pascal to the Mac, where it adopted the extensions of Object Pascal, and eventually became the cross-platform Delphi in 1995.
C/C++ (1991-2001)
With the release of System 7 in 1991, Apple abruptly switched from Object Pascal to C++, and MacApp 3.0 also changed language. Smaller developers who had extensive source in Object Pascal were far from happy, and in some cases successful products vanished from the market. Others were rescued when Metrowerks released a new integrated development environment for C/C++ as CodeWarrior at the end of 1993 or early 1994. This drew most who had been using THINK C, and MPW also went into decline. The decisive factor was CodeWarrior’s early support for Apple’s new PowerPC Macs. CodeWarrior’s C/C++ saw many Mac developers through that hardware transition until the release of Mac OS X in 2000-01.
Objective-C (2001-)
With Mac OS X came its own primary development language Objective-C, and Apple’s new integrated development environment Project Builder, also derived from NeXTSTEP but written from scratch for the Mac. That was replaced by the first version of Xcode with Mac OS X 10.3 Panther in 2003.
This screenshot shows Xcode in 2015.
Objective-C had been one of the two object-oriented contenders to succeed C. The other, C++, had already become more widely adopted, and had been favoured by Apple for the previous decade. Although both claim C as their ancestor, there’s little in common between them, and in many respects Objective-C more closely resembles Smalltalk, rejected by Apple when developing the Lisa. Developers whose source code had started in Object Pascal and was then ported to C++, had another major task to convert that to Objective-C.
Originally designed and developed by Brad Cox and Tom Love during the early 1980s, Objective-C’s biggest success had been its selection as the primary development language for NeXTSTEP later that decade. When Apple adopted that as the foundation for Mac OS X, it was inevitable that the language should come with it.
Swift (2014-)
In keeping with its track record, no sooner had Apple entered the 2010s than its engineers, under the lead of Chris Lattner, were working on the successor to Objective-C. Significant early collaborators included Doug Gregor, John McCall, Ted Kremenek and Joe Groff. A first beta-release was provided at WWDC in 2014, and since then Swift has been progressively replacing Objective-C as Apple’s primary development language.
Swift is described as being a multi-paradigm language, and over the course of the last 15 years it has assimilated and adopted almost every available programming paradigm, from classes and objects to protocols and declaratives. Although it’s still possible to write plain code that is understandable by someone with a grounding in C or Pascal, those who prefer to adopt almost any other paradigm can render their code nearly unintelligible to others. Differences between the current version 6.1.2 and version 1.0 from 2014 are huge.
From those early days, Swift has had an interactive mode, based on the ‘read-eval-print loop’ (REPL) popularised by Lisp. This versatility has been developed in Swift Playgrounds, both within Xcode and as a standalone app targeted at those of all ages learning to code for the first time.
As an introduction to Swift in education, this has been impressive, but it hasn’t proved a gateway for those who didn’t really want to learn how to use Xcode in the first place.
With the release of Swift 5.0 in February-March 2019, the language reached a major milestone of stability in its application binary interface (ABI). Prior to that, executable code built from Swift source had to be delivered with its own copy of Swift’s runtime libraries, amounting to over 11 MB for regular apps. Starting from the release of macOS 10.14.4, and Xcode 10.2, apps written in Swift 5.0 didn’t need those frameworks (except for compatibility when running on older macOS), as their ‘glue’ to macOS has since been delivered in the system. Later that year, module stability was added, to allow sharing of binary frameworks compatible with future versions of Swift.
This screenshot shows the Interface Builder feature in Xcode in 2024.
Others
Although those have been primary development languages, Apple and third-parties have supported many others. Here’s a small personal sample.
In 1984, what was to become Macintosh Common Lisp (MCL) began development. It was released in 1987, initially as Coral Common Lisp (CCL), then Macintosh Allegro Common Lisp, and MCL. It moved on to Digitool in 1994 for PowerPC support, and was made open source in 2007. Unusually for what’s normally considered a specialist language, MCL was well integrated with Mac OS and its GUI.
After MCL drifted off into oblivion, LispWorks’ cross-platform implementation of ANSI Common Lisp took over, and remains thoroughly mature and productive, with extensive browsing facilities, debugging, and more.
An extraordinarily concise and powerful language, APL is also one of the oldest, having been defined in 1962 and first implemented a couple of years later. It uses Greek and special symbols in its own custom font, concatenating them into cryptic lines that make perl look verbose. Its last Mac implementation, MicroAPL’s APLX 5.1, was still able to run in El Capitan, but has sadly been abandoned. However, Dyalog APL remains actively developed, and even supports Apple silicon Macs. Other notable losses include Absoft, whose Fortran compilers were widely used on Macs from 1985, and shut down in 2022.
Microsoft’s Visual Studio Code, supporting more than thirty programming languages including JavaScript, C#, C++, and Java, was a latecomer to the Mac, and has most recently become VS Code.
Apple has just released an update to XProtect for all supported versions of macOS, bringing it to version 5305. As usual, Apple doesn’t release information about what security issues this update might add or change.
This version adds a single new rule for MACOS.SOMA.JLEN, part of the Amos/Soma family of malware.
You can check whether this update has been installed by opening System Information via About This Mac, and selecting the Installations item under Software.
A full listing of security data file versions is given by SilentKnight and SystHist for El Capitan to Tahoe available from their product page. If your Mac hasn’t yet installed this update, you can force it using SilentKnight or at the command line.
If you want to install this as a named update in SilentKnight, its label is XProtectPlistConfigData_10_15-5305
Sequoia systems only
This update has already been released for Sequoia via iCloud. If you want to check it manually, use the Terminal command sudo xprotect check
then enter your admin password. If that returns version 5305 but your Mac still reports an older version is installed, you may be able to force the update using sudo xprotect update
This week’s security data updates were quite a surprise. We’ve grown accustomed to Apple tweaking XProtect’s data most weeks, but this week was a bit different, and came with an update to XProtect Remediator as well, the first in four months. This article explores what they have brought.
Although this security data all goes under the name of XProtect, there are three different protection systems involved.
The traditional XProtect contains a set of ‘Yara’ rules used when performing Gatekeeper scans of new executable code, most notably when a quarantined app is first run, although recent macOS also runs XProtect checks on other occasions. Those rules are used to determine whether the code being scanned is known to be malicious, and if it’s found to be positive, macOS refuses to run that code and you’re told to trash the app.
XProtect Remediator only runs in Catalina and later, where it performs daily background scans to detect and remove software it believes to be malicious. It currently contains 24 separate scanning modules, each designed to detect and ‘remediate’ a different family of malware. Some of its modules also use the detection rules in traditional XProtect, so are improved by regular XProtect data updates. Surprisingly, if XProtect Remediator detects and removes malware, you aren’t notified, although that is recorded in the log and reported as an Endpoint Security event that can be detected by some third-party security software.
Inside the XProtect Remediator app are two files used by the third XProtect, which detects potentially malicious activity such as tampering with parts of a browser’s files. This is therefore referred to as XProtect Behavioural, or by the name it gives to the detection rules it uses, Bastion. Unlike the other two XProtects, this doesn’t rely on performing static checks, but is watching constantly for malicious activity. Although it records that in its local database, at present it doesn’t inform the user, but reports the activity to Apple, to help it acquire intelligence to improve the battle against malware.
XProtect
XProtect version 5304, provided by Apple on 8 July, makes substantial changes to its Yara detection rules to add what appears to be a new family of malware, code-named Bonzai. New rules refer to five different forms, which are most likely to be different components in the same malware, or separate variants, named Bonanza, Barricade, Blaster, Bonder and Banana. It’s likely that independent security researchers will identify these in the coming days, but for the moment the public name of this malware isn’t known.
Looking through these new Yara rules, they look most likely to be for a ‘stealer’, a type of malware that’s currently prevalent, and steals your secrets to send them to a remote server. There are references to Chrome, Brave, Edge and Firefox extensions, and most interestingly some of the malware has been compiled from code written in the Go language, which is becoming popular in cross-platform malicious code.
The last times that Apple added detection rules as substantial as these were in XProtect version 5284 for Adload and Bundlore, and in 5269 for Dolittle, each being major threats.
Bastion
Until now, the behavioural rules used by Bastion have evolved steadily, and the most rules added in one release has only been two, when XProtect Remediator version 123 came with rules 8 and 9, and changes to rule 7, back in January 2023. This update brings four new rules:
Rule 14 detects sending AppleEvents to Safari, Firefox or Chrome.
Rule 15 detects sending AppleEvents to the Finder or Terminal.
Rule 16 detects Mach lookups for com.apple.pasteboard.1.
Rule 17 detects writing shell files hidden in ~/ or /etc, such as ~/.zlogin, or /etc/zlogin.
The first two may be intended to detect AppleScript being used to control those browsers, the Finder or to run scripts in Terminal. Rule 16 may also be related to Apple’s recent announcement on controlling access to the pasteboard in macOS 26. Rule 17 concerns settings files commonly used by command shells, readily seen if you reveal hidden files for your Home folder.
These may well be related to Bonzai, and enable Apple to get a better idea of what is going on out here in the wild, and focus its efforts in improving its detection.
XProtect Remediator
Once samples of malware have been obtained, developing and testing new Yara rules to detect it is relatively quick, and often uses AI to accelerate the process. Writing a new scanning module for XProtect Remediator is more complicated, and takes more time. It may well be that an additional Bonzai scanner is already on its way, and might be delivered in a further update in the next couple of weeks, perhaps with some fine-tuning of the new Bastion rules. I’ll be keeping a lookout for those.
Above all, it will be interesting to see what changes are made in third-party security software, and how well those tackle what appears to be novel malware for macOS.
Apple has just released updates to XProtect for all supported versions of macOS, bringing it to version 5304, and to XProtect Remediator for all macOS from Catalina onwards, to version 152. As usual, Apple doesn’t release information about what security issues these updates might add or change.
Yara definitions in this version of XProtect add two private rules for Shebang, to match shell scripts by ‘shebang’, and _golang_macho, to match machos compiled by Golang. There are also 19 new rules for a novel family of what appear to be stealers based on the name BONZAI, including MACOS.BONZAIBONANZA.AUTO, MACOS.BONZAIBONANZA.TAAP, MACOS.BONZAIBONANZA.TAFI, MACOS.BONZAIBONANZA.VACA, MACOS.BONZAIBONANZA.VASN, MACOS.BONZAIBONANZA.FU, MACOS.BONZAIBONANZA.SC, MACOS.BONZAIBARRICADE.PE, MACOS.BONZAIBARRICADE.PA, MACOS.BONZAIBARRICADE.KE, MACOS.BONZAIBLASTER.FU, MACOS.BONZAIBLASTER, MACOS.BONZAIBLASTER.TA, MACOS.BONZAIBONDER.SO, MACOS.BONZAIBONDER.PE, MACOS.BONZAIBONDER.TEPL, MACOS.BONZAIBONDER.LA, MACOS.BONZAIBONDER.FU, and MACOS.BONZAIBANANA.
XProtect Remediator doesn’t change the list of scanner modules.
There are changes to the list of Bastion rule 2 paths, and four new Bastion rules 14-17. These cover sending AppleEvents to browsers, the Finder and Terminal, mach-lookup for com.apple.pasteboard.1, and writing to a long list of shell-related hidden directories in the user’s Home folder.
These are probably the greatest changes to XProtect’s Yara rules and Bastion rules for more than a year.
You can check whether these updates have been installed by opening System Information via About This Mac, and selecting the Installations item under Software.
A full listing of security data file versions is given by SilentKnight and SystHist for El Capitan to Tahoe available from their product page. If your Mac hasn’t yet installed this update, you can force it using SilentKnight or at the command line.
If you want to install these as named updates in SilentKnight, their labels are XProtectPayloads_10_15-152 and XProtectPlistConfigData_10_15-5304.
Sequoia and Tahoe systems only
The XProtect update has already been released for Sequoia and Tahoe via iCloud. If you want to check it manually, use the Terminal command sudo xprotect check
then enter your admin password. If that returns version 5304 but your Mac still reports an older version is installed, you may be able to force the update using sudo xprotect update
Apple has just released an update to XProtect for all supported versions of macOS, bringing it to version 5303. As usual, Apple doesn’t release information about what security issues this update might add or change.
This version adds two new rules, for MACOS_SOMA_JUEN and MACOS_SOMA_LLJU, continuing to extend its coverage of the Amos/Soma family of malware.
You can check whether this update has been installed by opening System Information via About This Mac, and selecting the Installations item under Software.
A full listing of security data file versions is given by SilentKnight and SystHist for El Capitan to Tahoe available from their product page. If your Mac hasn’t yet installed this update, you can force it using SilentKnight or at the command line.
If you want to install this as a named update in SilentKnight, its label is XProtectPlistConfigData_10_15-5303
Sequoia systems only
This update has just now been released for Sequoia via iCloud. If you want to check it manually, use the Terminal command sudo xprotect check
then enter your admin password. If that returns version 5303 but your Mac still reports an older version is installed, you may be able to force the update using sudo xprotect update
Apple has just released an update to XProtect for all supported versions of macOS, bringing it to version 5302. As usual, Apple doesn’t release information about what security issues this update might add or change.
This version adds a new rule for MACOS_SOMA_FA_LE, again extending coverage of the Amos/Soma family of malware.
You can check whether this update has been installed by opening System Information via About This Mac, and selecting the Installations item under Software.
A full listing of security data file versions is given by SilentKnight and SystHist for El Capitan to Tahoe available from their product page. If your Mac hasn’t yet installed this update, you can force it using SilentKnight or at the command line.
If you want to install this as a named update in SilentKnight, its label is XProtectPlistConfigData_10_15-5302
Sequoia systems only
This update has already been released for Sequoia via iCloud. If you want to check it manually, use the Terminal command sudo xprotect check
then enter your admin password. If that returns version 5302 but your Mac still reports an older version is installed, you may be able to force the update using sudo xprotect update
Living creatures aren’t the only things to be ravaged by epidemics. Computers, even Macs, can die prematurely when there are widespread manufacturing failures. I’d like to unearth a couple of mass graves from the past that have surely contributed to landfill around the world: capacitor plague and lead-free solder, and a recent problem with butterflies.
Capacitor plague 1999-2007
Capacitors or ‘caps’ have a chequered history. Acting as temporary stores of electric charge, they’re used extensively in most computer hardware and other equipment, such as ‘starters’ or ‘ballast’ for fluorescent tube lighting. They consist of conductive materials sandwiched with substances of low conductivity, or electrolyte. When manufactured to high standards they should last for 15 years or more, but cheap components are prone to overheating, electrolyte leakage, and in the worst case even fire.
With manufacturing driven to minimise the cost of components, some who procured supplies of capacitors have saved a few pence using cheaper sources. Many have turned out to be duff, so-called counterfeit capacitors: in the early years of this century, a series of fires in mainly industrial and commercial premises were blamed on catastrophic failure of strip light ballasts.
Computer motherboards and other components, including some batches of iMac G5 and eMacs, have also suffered ‘capacitor plague’ when counterfeits have somehow entered the assembly plant. Since first reports in 1999, successive waves have cost major manufacturers hundreds of millions of dollars to rectify.
An ABIT VP6 motherboard with a blown capacitor alongside others that are bulging or leaking (2007). Image by Ethanbrodsky, via Wikimedia Commons.
This PC motherboard from ABIT has one blown capacitor obvious just to the left of centre, among others that are starting to bulge and leak.
Fortunately, Apple’s products were among the least affected, and since 2007 very few problems have been reported, although failed capacitors and leaky batteries remain problems in any computer over 15 years of age.
Lead-free solder 2006-2017
No sooner was capacitor plague dying out than a new wave of failures was reported, mainly affecting better graphics cards, including some installed in various models of Mac. The most prominent was probably that in 2011 MacBook Pro models, but several other MacBook Pros, iMacs, and others were affected. My own iMac 27″ Mid 2011 (iMac12,2) suffered failure in its Radeon HS 6970M graphics card, and was one of several models whose warranties were extended because of this issue.
Apple wasn’t the only computer manufacturer to have such problems. Various models, mainly laptops, from PC manufacturers including Asus, Lenovo, and HP, had similar high failure rates in their graphics cards. Although some occurred as a result of GPU failure, the single common cause accounting for many was most probably the use of lead-free solder.
High-performance graphics cards run hot, because they do a lot in a small volume, particularly in compact systems such as laptops and all-in-one desktop models. Laptops have very high thermal stresses, because they’re often left cold for long periods, then run and become hot enough to warm bare thighs. Components, especially the GPU, may thus cycle between cold and hot several times a day.
On 1 July 2006, the EU banned the use of significant quantities of lead in most consumer electronics products, including computers and their accessories. Although this had the beneficial side-effect of reducing occupational exposure to lead fumes in those manufacturing and repairing electronic circuit boards, the drive for this came instead from growing concerns over lead in electronic waste.
The most immediate impact of that ban was the withdrawal from sale of Apple’s iSight camera at the end of that year, as that couldn’t be made using lead-free solder. Since then, substitute lead-free solders have become universally adopted in consumer electronics manufacture, but some non-consumer products continue to use traditional lead-based solders. This is because, despite sustained efforts to develop lead-free solders that perform as well, in practice products manufactured using them are more prone to failure, and have shorter working lives. Over the last decade, improved manufacturing techniques have reduced the chances of early failure, but now I’m happier using Apple silicon chips in any case.
Butterfly keyboards 2015-2019
In 2015, Apple released new MacBooks that incorporated a keyboard using a novel action, described as butterfly. These enabled their integrated keyboards to be thinner, and because this mechanism distributed finger pressure more evenly, Apple claimed the keys were more stable in use, and required less movement.
Although some preferred these butterfly keyboards, and had no problems in use, others started to report early failure, with keys getting stuck, repeating, or failing completely. These have been attributed to the accumulation of debris in the greater space within the keys. Attempts were made to tweak their design to eliminate these problems over the following four years, but ultimately Apple had to return to the proven scissor mechanism, which it did from 2019. As a result Apple had to operate its largest repair programme ever.
Apple Service Programmes
Although at times Apple might appear intransigent when problems occur with its products, its record ranks among the best of all computer manufacturers. There are currently two active service programmes, for 15-inch MacBook Pro batteries dating back to 2019, and more recently for a small number of M2 Mac minis. I repeatedly hear of those whose Macs have been replaced or repaired at no cost in order to satisfy customers, even though warranty, AppleCare or extended service programmes have expired. It’s one of Apple’s distinguishing features.
Apple has just released an update to XProtect for all supported versions of macOS, bringing it to version 5301. As usual, Apple doesn’t release information about what security issues this update might add or change.
This version adds a new rule for MACOS_AMOS_BO_EN, extending coverage of the Amos/Soma family of malware.
You can check whether this update has been installed by opening System Information via About This Mac, and selecting the Installations item under Software.
A full listing of security data file versions is given by SilentKnight and SystHist for El Capitan to Sequoia available from their product page. If your Mac hasn’t yet installed this update, you can force it using SilentKnight or at the command line.
If you want to install this as a named update in SilentKnight, its label is XProtectPlistConfigData_10_15-5301
Sequoia systems only
This update has already been released for Sequoia via iCloud. If you want to check it manually, use the Terminal command sudo xprotect check
then enter your admin password. If that returns version 5301 but your Mac still reports an older version is installed, you may be able to force the update using sudo xprotect update
Although there was no ambiguity in Apple’s announcement that later this year it will be releasing macOS 26 Tahoe, together with version 26 of its other operating systems, there have been claims that this might just be a ‘marketing version’ and not really the case. There is some evidence that could be misinterpreted as confirming that, where some of Apple’s developer web pages refer to macOS 16.
But others choose to differ.
Cast your mind back five years to macOS 11 Big Sur, when what had been expected to be macOS 10.16 but was announced as 11.0 instead. That had the potential to upset a lot of code and scripts that had become used to checking the minor but not major version number. Apple foresaw those problems, and devised an ingenious scheme that allowed Big Sur to be simultaneously both 10.16 and 11.0. It’s hardly surprising that has been implemented once again for Tahoe.
Rules
There are two fundamental rules provided by Apple:
In compiled languages, the version returned by macOS depends on the SDK which the software has been built against. When built against the 15 SDK or earlier, Tahoe returns 16 for compatibility with previous numbering and all existing apps; when built against the 26.0 SDK, it returns 26.0 for forward compatibility.
In scripted languages run within a shell environment, there’s an environmental variable to control the version number given. Set SYSTEM_VERSION_COMPAT=1 and Tahoe returns 16; leave that variable unset, or SYSTEM_VERSION_COMPAT=0, and it returns 26.
AppleScript
Move a script across to Tahoe, and it will be compiled in the 26 environment, so system version of (system info)
returns 26.0, as will that code inside an AppleScript app built on Tahoe.
Scripts and other languages
One method commonly used to look up the macOS version number is to obtain the string value for the ProductVersion key in /System/Library/CoreServices/SystemVersion.plist. However, depending on the environment of the caller, Tahoe plays tricks with that file, which should return a version of 26.0. If the caller has set SYSTEM_VERSION_COMPAT=1, then the version number returned isn’t obtained from that property list at all, but its companion SystemVersionCompat.plist, which is 16.0.
You can test this at the command line, by entering the two commands SYSTEM_VERSION_COMPAT=1 cat /System/Library/CoreServices/SystemVersion.plist
and SYSTEM_VERSION_COMPAT=0 cat /System/Library/CoreServices/SystemVersion.plist
Which is it – 16 or 26?
macOS Tahoe is very definitely, and not just for marketing purposes, macOS 26, but depending on how you ask that question, it could pretend to be 16 if you wish.
Login
