Apple has just released updates to XProtect for all supported versions of macOS, bringing it to version 5304, and to XProtect Remediator for all macOS from Catalina onwards, to version 152. As usual, Apple doesn’t release information about what security issues these updates might add or change.
Yara definitions in this version of XProtect add two private rules for Shebang, to match shell scripts by ‘shebang’, and _golang_macho, to match machos compiled by Golang. There are also 19 new rules for a novel family of what appear to be stealers based on the name BONZAI, including MACOS.BONZAIBONANZA.AUTO, MACOS.BONZAIBONANZA.TAAP, MACOS.BONZAIBONANZA.TAFI, MACOS.BONZAIBONANZA.VACA, MACOS.BONZAIBONANZA.VASN, MACOS.BONZAIBONANZA.FU, MACOS.BONZAIBONANZA.SC, MACOS.BONZAIBARRICADE.PE, MACOS.BONZAIBARRICADE.PA, MACOS.BONZAIBARRICADE.KE, MACOS.BONZAIBLASTER.FU, MACOS.BONZAIBLASTER, MACOS.BONZAIBLASTER.TA, MACOS.BONZAIBONDER.SO, MACOS.BONZAIBONDER.PE, MACOS.BONZAIBONDER.TEPL, MACOS.BONZAIBONDER.LA, MACOS.BONZAIBONDER.FU, and MACOS.BONZAIBANANA.
XProtect Remediator doesn’t change the list of scanner modules.
There are changes to the list of Bastion rule 2 paths, and four new Bastion rules 14-17. These cover sending AppleEvents to browsers, the Finder and Terminal, mach-lookup for com.apple.pasteboard.1, and writing to a long list of shell-related hidden directories in the user’s Home folder.
These are probably the greatest changes to XProtect’s Yara rules and Bastion rules for more than a year.
You can check whether these updates have been installed by opening System Information via About This Mac, and selecting the Installations item under Software.
A full listing of security data file versions is given by SilentKnight and SystHist for El Capitan to Tahoe available from their product page. If your Mac hasn’t yet installed this update, you can force it using SilentKnight or at the command line.
If you want to install these as named updates in SilentKnight, their labels are XProtectPayloads_10_15-152 and XProtectPlistConfigData_10_15-5304.
The XProtect update has already been released for Sequoia and Tahoe via iCloud. If you want to check it manually, use the Terminal commandsudo xprotect check
then enter your admin password. If that returns version 5304 but your Mac still reports an older version is installed, you may be able to force the update usingsudo xprotect update
最近小半年来因为工作的问题作为销售外勤的我也经常需要用到电脑处理些许文档了,有几次遇到过临时紧急的需要弄一个文档的时候只能在外面找个网吧临时对付一下。有过几次这样的经历之后就有了买台笔记本放包里用的想法,加上去年已经解决了温饱问题,兜里有一点点可以支配的私房钱了,于是就正式的开始选购起了笔记本,原则就是轻便和能打开一些复杂的报表就可以了。
考虑到数码产品“买新不买旧,除非钱不够”的原则,最开始是打算买个 ThinkPad X 系列,毕竟这个牌子是我用上电脑就接触到的第一个品牌。但是看了下新款的价格,以及老款那种傻大黑粗的造型,最终是在同城论坛买了个 2020 款的丐版 M1 的MacBook Air。买来前两天还是有些不习惯的,因为很多在 Windows 上用得得心应手的快捷键到了 macOS 上就变了,但是 macOS 下的 Office 软件对应的快捷键和 Windows 下又是一样的,为了减轻本来容量就小的脑子的负担,只能把快捷键映射成和 Windows 下一样的操作。
恰好家里的台式机还是 10 年前的联想扬天一体机,i3 4130的性能已经不堪用了,打开个 5M 左右的 Excel 报表都要转半天。笔记本都升级了,台式机也升级一下吧,又花了 400 块在同城买了一台 8100T+16G+256G 的主机,又在京东花了 1399 买了个杂牌的 23.8 寸 4K 显示器。这个后面觉得买亏了,没有 VESA 接口上不了支架,同等价位下都可以买到底端品牌的 27“ 4K 了。不过作为穷人要有穷人的觉悟,用一句“又不是不能用“就能简单的安慰自己。现在作为天选打工人再也没有什么能够阻挡我随时随地的工作了。
正常用了一个多星期,在网上看了些视频说是乞丐版的 MacBook Air 剪辑视频会很卡,至少需要 16G 以上的内存才能流畅使用。为什么会有这样的需求呢,因为打算把娃每一年的视频和照片剪辑到一起,方便分享给家里人看。但是考虑到“买都买了”、“又不是不能用”的时候,只能从其它方面入手解决这个问题了。
新买的 i3 8100T 不是正好 16G 的内存嘛,可以用来 Hackintosh ,再认真的了解了一下之后现在的 Hackintosh 安装已经不像几年前用变色龙、Clover 那么复杂了。使用 Opencore 简单的配置一下就能启动起来,剩下的细节问题就看在不在乎了,如果不在乎所谓的“完美”配置,只要能启动就起来就是能正常使用的。于是又在小黄鱼上买了 200 块买了张“拆机”RX570 8G 显卡,其实都明白这是个 RX470 矿渣刷出来的,但是本着“又不是不能用”的心态,买家卖家都看破不说破了。其实说不定 i3 8100T 自带的核显 UHD630 都是够用的。这么配置下来性能强于 2018款的 Mac mini,约等于同配置的 2019 款的 iMac,而且我这个算上显示器还不到 2000 块,真是划算呢。
因为这台算上显卡 600 块买的这台主机没有 M.2 接口,上不了 NVME 的固态硬盘,又打算把主板处理器主板硬盘升级一下,打算升级到 i5 8500 和带 M.2 接口的主办以及 500G 的 NVME 硬盘,预计花费 700 左右。虽然 10 代处理器是最后能完美使用核显装黑苹果的处理器,但还是那个买新不买旧除非钱不够的原则只能考虑 8 代。
又在网上看到了 18-19 款的 MacBook Pro 下半身,想着有 4K 显示器了可以高一个来玩玩,预计又要花费 1500 左右。
这么一折腾的话目前家里的台式主机花了 600 ,显示器 1400,笔记本 3600,准备更新的配置的台式机预计花费 700,苹果无头骑士 1500,这样算下来我就得到了一台性能将就的 PC 机,1.5 台 Mac 电脑,总计将会花费 8000。
眼看着购物车里的东西越来越多,回过头来我只是想有个能移动处理工作的笔记本和同时能把熊孩子平时的照片视频素材剪到一起的工具而已。更何况都还没有用现有的设备尝试能不能完成自己的需求,因为下载好的“剪映”软件图标下到现在都还有个小蓝点(还没打开过),淘宝买的共享 ID 下载的 FCPX 也同样没有打开过(还没用过就不算用盗版吧)。
很突然的,我觉得应该打住了,都本命年的人了不应该由着自己的想法来,看是的看看自己的真实需求,不用用一些借口来创造伪需求。就像之前玩无线电、学钓鱼、骑摩托车一样,都是刚刚开始用就已经无限预算的想买买买了,更何况我到现在为止做什么都是三分钟热度。
及时的通过其它方式转移注意力,这两天又迷上了通过脚本来签到各种 APP 的玩法,换个其它东西吸引注意力之后就不会花太多的心思来想折腾电脑的问题了,毕竟只是工具。
I hope that you enjoyed Saturday’s Mac Riddles, episode 315. Here are my solutions to them.
It came with a tumbler (an acrobat) from Camelot (its original internal name) in 1993 (first released on 15 June 1993), then opened in 2008 (when it was adopted as an open ISO standard).
Replacement for 3 (it was developed by Thomas Boutell and others to replace GIFs) to avoid royalties (those were imposed on GIFs because of their use of LZW compression) with transparency (it supports a transparency layer) has just turned three (its latest version 3.0 was released in June this year).
CompuServe (released by CompuServe in 1987) animated (it supports animated images) its palette with 256 colours (it only supports palettes with 256 colours) but we still can’t agree how to say it (there has been a long-running dispute as to whether its ‘g’ is hard like ‘gift’ or soft like ‘gin’).
They were each intended to be portable, universal file formats.
I look forward to your putting alternative cases.
Here are this weekend’s Mac riddles to entertain you through family time, shopping and recreation.
1: It came with a tumbler from Camelot in 1993, then opened in 2008.
2: Replacement for 3 to avoid royalties with transparency has just turned three.
3: CompuServe animated its palette with 256 colours but we still can’t agree how to say it.
To help you cross-check your solutions, or confuse you further, there’s a common factor between them.
I’ll post my solutions first thing on Monday morning.
Please don’t post your solutions as comments here: it spoils it for others.
From its first announcement of Apple silicon Macs on 22 June 2020, there has been speculation as to when support of Intel models will cease. Now Apple has given exceptionally clear details of its future intentions, and we have a clearer idea of what’s coming in macOS Tahoe, we can make plans at last. This article looks at the years ahead. In each case, major events are scheduled to occur with the annual transition of macOS to the next major version, normally in September-October.
Final security update for macOS 13 Ventura, ending support for:
If you’re still running Ventura on a Mac capable of Sonoma or later, now is the time to plan the upgrade.
Final security update for macOS 14 Sonoma, ending support for:
First release of an Arm-only version of macOS, 27. However, that and all its updates will continue to include full support for running Intel binaries using Rosetta 2 translation. macOS 27 will be the last major version that supports Rosetta 2 fully in Virtual Machines.
Final security update for macOS 15 Sequoia, ending support for:
First release of macOS 28, with full Rosetta 2 support removed. Limited Intel binary support will continue for “older unmaintained gaming titles” only. As a result, virtual machines running macOS 28 will no longer be able to run most Intel binaries.
Final security update for macOS 26 Tahoe, ending support for all remaining Intel models:
T2 firmware updates are almost certain to cease with the end of support for macOS 26. Major third-party vendors are likely to stop providing Universal binaries, as they too drop support for macOS 26 and Intel models. Apple may decide to remove x86 support from Xcode 29, but hasn’t yet made any statement either way.
Although macOS Sequoia and Tahoe have brought some new features for Intel Macs, much of Apple’s emphasis now requires Arm systems. Major reasons for upgrading your Intel Mac to the most recent version of macOS it can run include:
I hope you find that helpful in your planning, and wish you success in whatever you choose.
Apple has just released an update to XProtect for all supported versions of macOS, bringing it to version 5303. As usual, Apple doesn’t release information about what security issues this update might add or change.
This version adds two new rules, for MACOS_SOMA_JUEN and MACOS_SOMA_LLJU, continuing to extend its coverage of the Amos/Soma family of malware.
You can check whether this update has been installed by opening System Information via About This Mac, and selecting the Installations item under Software.
A full listing of security data file versions is given by SilentKnight and SystHist for El Capitan to Tahoe available from their product page. If your Mac hasn’t yet installed this update, you can force it using SilentKnight or at the command line.
If you want to install this as a named update in SilentKnight, its label is XProtectPlistConfigData_10_15-5303
This update has just now been released for Sequoia via iCloud. If you want to check it manually, use the Terminal commandsudo xprotect check
then enter your admin password. If that returns version 5303 but your Mac still reports an older version is installed, you may be able to force the update usingsudo xprotect update
The update was released via iCloud at 2010 GMT.
I hope that you enjoyed Saturday’s Mac Riddles, episode 314. Here are my solutions to them.
Expedition (a safari) for a panther (it was first bundled with Mac OS X Panther in 2003) now in visionOS too (it’s now bundled in visionOS).
Polished plate (chrome) is now 1’s most serious competitor (on Apple’s platforms, it is Safari’s main competitor).
Web (cyber) pet (dog) only lasted a year before the exploder (released in 1996, it was dropped the following year, for Microsoft Internet Explorer to become the bundled web browser in Mac OS X).
They’ve each been web browsers for Mac OS.
I look forward to your putting alternative cases.
Here are this weekend’s Mac riddles to entertain you through family time, shopping and recreation.
1: Expedition for a panther now in visionOS too.
2: Polished plate is now 1’s most serious competitor.
3: Web pet only lasted a year before the exploder.
To help you cross-check your solutions, or confuse you further, there’s a common factor between them.
I’ll post my solutions first thing on Monday morning.
Please don’t post your solutions as comments here: it spoils it for others.
Although taken for granted now, Apple didn’t release the first version of Safari until January 2003. Before that was a succession of interesting experiments to try. Those started with Netscape Navigator in 1994, which lasted until 2007, although by then it was little used on Macs.
Netscape is seen here in 2000, following my successful purchase of downloadable versions of Conflict Catcher and Suitcase from Casady & Greene’s online store.
Two years later, and I’m browsing Amazon’s listing of my never-published book that was slated for 31 March the following year. I’m so glad I never pre-ordered it.
Netscape had been at the front of browser development, leading with on-the-fly page display, cookies and JavaScript. But in 1996, it was challenged by Microsoft’s Internet Explorer, and Apple’s more innovative Cyberdog. The latter was sadly abandoned the following year, leaving the way clear for Apple to replace the bundled Netscape with Internet Exploder, as it quickly became nicknamed.
This is Microsoft Internet Explorer in 2001, providing the front end to Mac OS X Server through Webmin.
Cookie settings in Explorer were highly detailed in 2005.
Many of us abandoned Internet Explorer for alternatives such as Camino. That had originated within Netscape as Chimera in 2002, based on its Gecko layout engine, with a native Mac OS X front end. The following year it was rebranded as Camino, and amazingly lasted until 2012.
There were other competitors, such as Omni Group’s OmniWeb, which had been developed for NeXTSTEP since 1995, then moved to Mac OS X until 2012.
This is OmniWeb in 2007, showing the different browsers it could identify itself as, including a single version of Safari 1.0.
In January 2003, Apple launched the first beta-release of its own browser, Safari, and bundled it in Mac OS X 10.3 Panther when it was released that October. Since then Safari has been a regular fixture in successive versions of Mac OS X, OS X, and macOS. For several years, it was the only browser on iOS and iPadOS.
This is Safari 1 showing the front page for Apple’s developer site in 2004, complete with the offer to download Xcode version 1.5 with dead code stripping as a new feature. That year, Mozilla Firefox was released as an alternative, and has continued to support Macs ever since.
Mac OS X 10.4 Tiger came with Safari as the only bundled browser when it was released in April 2005, although it took Safari 2.0.4 in early 2006 before it was stable.
Page loading was slow in 2005, when Apple’s front page took a total of over 16 seconds to load fully, but that only used 6.8 MB of memory. By contrast, today Apple’s front page only takes a couple of seconds but requires over 200 MB.
There were times when the only way ahead with these early versions of Safari was to completely reset it, emptying its cache, and even removing all passwords and AutoFill text. This is Safari 2 in 2006.
Prominent among the plugins in 2006 was the dreaded Shockwave Flash, which had only recently been taken over by Adobe when it acquired Macromedia the previous year. Details of plugins are here being displayed on an internal web page within Safari 2.
Safari 3, bundled in Mac OS X 10.5 Leopard in October 2007, brought the claim that it was then the fastest browser, but it was troubled by bugs and security problems at first.
Safari 3 had already grown extensive preferences, covering the use of plugins, Java, JavaScript and cookies, seen here in 2007.
Its successor, Safari 4, followed in the summer of 2009, ready for Mac OS X 10.6 Snow Leopard, with further performance improvements, particularly in its JavaScript engine.
By 2009, Safari 4 was able to warn the user if it was about to visit a site blacklisted by the Google Safe Browsing Service. At least when that service was available. That year also saw Preview and Beta releases of Google Chrome, now Safari’s most serious competitor on Apple’s hardware.
Safari 5 was released a year later, in 2010, and was bundled in Mac OS X 10.7 Lion in 2011. This brought Reader mode and opened the door to third-party extensions.
Safari’s hidden Debug menu provided a collection of tools for web developers, and more recently has become the even more extensive Develop menu.
By the release of macOS 10.12 Sierra in 2016, Safari had reached version 10.
By 2016, close control over Adobe Flash Player had become critical, as a result of its frequent exploits, although it remained highly popular with content developers before Adobe finally killed it at the end of 2020.
Since 2021, with the release of macOS 12 Monterey, Safari 15 and its successors have been able to perform on-the-fly translation, as demonstrated here.
Safari is now the bundled browser in macOS, iOS, iPadOS and visionOS, and this year is set to leap in version number from 18 to 26 with the arrival of Tahoe and its sister OSes. It has been a long and sometimes troubled journey over those 22 years, and despite strong competition from Google Chrome and Chromium-based browsers, it remains the browser of first choice for a great many using Apple’s hardware products. I hope my screenshots have brought back more happy memories than traumatic moments.
Apple has just released an update to XProtect for all supported versions of macOS, bringing it to version 5302. As usual, Apple doesn’t release information about what security issues this update might add or change.
This version adds a new rule for MACOS_SOMA_FA_LE, again extending coverage of the Amos/Soma family of malware.
You can check whether this update has been installed by opening System Information via About This Mac, and selecting the Installations item under Software.
A full listing of security data file versions is given by SilentKnight and SystHist for El Capitan to Tahoe available from their product page. If your Mac hasn’t yet installed this update, you can force it using SilentKnight or at the command line.
If you want to install this as a named update in SilentKnight, its label is XProtectPlistConfigData_10_15-5302
This update has already been released for Sequoia via iCloud. If you want to check it manually, use the Terminal commandsudo xprotect check
then enter your admin password. If that returns version 5302 but your Mac still reports an older version is installed, you may be able to force the update usingsudo xprotect update
I hope that you enjoyed Saturday’s Mac Riddles, episode 313. Here are my solutions to them.
Light and lenses (optical) control a car (to drive) inside Macs until 2013 (they were fitted internally in Macs until 2013 models, with the last being in the MacBook Pro 13-inch mid-2012 that wasn’t discontinued until 2016).
Splendid (super) campaign (drive) originally for airs (this external optical drive was first intended for MacBook Airs) until last August (they were discontinued in August 2024).
Cupertino’s (Apple) Roman 400 (in Roman numerals, CD) in South Carolina (abbreviated to SC) was the first in 1988 (it was Apple’s first tray-loading CD-ROM reader, available between 1988-91).
They’re all optical drives that have been sold by Apple.
I look forward to your putting alternative cases.
Here are this weekend’s Mac riddles to entertain you through family time, shopping and recreation.
1: Light and lenses control a car inside Macs until 2013.
2: Splendid campaign originally for airs until last August.
3: Cupertino’s Roman 400 in South Carolina was the first in 1988.
To help you cross-check your solutions, or confuse you further, there’s a common factor between them.
I’ll post my solutions first thing on Monday morning.
Please don’t post your solutions as comments here: it spoils it for others.
Apple has just released an update to XProtect for all supported versions of macOS, bringing it to version 5301. As usual, Apple doesn’t release information about what security issues this update might add or change.
This version adds a new rule for MACOS_AMOS_BO_EN, extending coverage of the Amos/Soma family of malware.
You can check whether this update has been installed by opening System Information via About This Mac, and selecting the Installations item under Software.
A full listing of security data file versions is given by SilentKnight and SystHist for El Capitan to Sequoia available from their product page. If your Mac hasn’t yet installed this update, you can force it using SilentKnight or at the command line.
If you want to install this as a named update in SilentKnight, its label is XProtectPlistConfigData_10_15-5301
This update has already been released for Sequoia via iCloud. If you want to check it manually, use the Terminal commandsudo xprotect check
then enter your admin password. If that returns version 5301 but your Mac still reports an older version is installed, you may be able to force the update usingsudo xprotect update
I hope that you enjoyed Saturday’s Mac Riddles, episode 312. Here are my solutions to them.
Border lake (Lake Tahoe is on the border between California and Nevada) claims it’s both 10 and 1A (depending on where you look, it reports it’s version 16, 10 in hexadecimal, or 26, 1A in hex).
Clearly (it uses transparency) a new material (as Apple describes it) comes with concentricity (markedly rounded corners are an obvious feature).
Patented in 1876 (the telephone was patented then by Alexander Graham Bell), it’s finally on its way to our Macs (macOS Tahoe introduces the Phone app).
They’re all new in macOS 26 Tahoe.
I look forward to your putting alternative cases.
Here are this weekend’s Mac riddles to entertain you through family time, shopping and recreation.
1: Border lake claims it’s both 10 and 1A.
2: Clearly a new material comes with concentricity.
3: Patented in 1876, it’s finally on its way to our Macs.
To help you cross-check your solutions, or confuse you further, there’s a common factor between them.
I’ll post my solutions first thing on Monday morning.
Please don’t post your solutions as comments here: it spoils it for others.
A cynic might summarise the history of Mac OS in four eras:
There is slight overlap between the last two, in macOS 10.14 and 10.15.
Classic Mac OS built its Desktop illusion using hidden databases that associated types of document with icons set by the apps that created them. This was based on two four-character codes in every file to specify the file’s type and creator. Periodically, those databases became damaged and this association stopped working, with the result that all documents were displayed with the same generic icon.
Rebuilding those Desktop databases was initiated by restarting the Mac while holding the Command and Option keys until the dialog was shown. Mac OS then checked through all installed apps to reconstruct their associations with document types.
This had to be repeated for each volume in turn as it was mounted by Mac OS. If there wasn’t sufficient free space on a volume, the process failed. The price of some utilities like TechTool Pro was often justified by the tools they provided for assisting in this process.
Mac OS X ended that reliance on Desktop databases, leaving this to die with Classic Mac OS.
Since its first beta-release, Mac OS X suffered from ill-defined and pervasive problems thought to result from corruption of files used by the system. Until the introduction of System Integrity Protection (SIP) in 10.11 El Capitan, those generally resulted from files within the system acquiring incorrect permissions. Various reasons were proposed for this, including installer scripts that overstepped their bounds.
To address this, Disk Utility had a feature whereby it could check and repair permissions of all major parts of the system, based on information contained in BoM files for system updates and installations. Repairing permissions in this way became one of the main panaceas in older versions of Mac OS X and OS X, and was an important feature in Disk Utility.
Although chiefly intended to provide better security protection, one of the benefits of SIP was that it largely prevented system files from gaining incorrect permissions, and the feature to repair them was removed from Disk Utility. In any case, because of SIP it was no longer possible for Disk Utility to change the permissions of files protected by SIP.
When macOS 10.12 Sierra was released, a different problem appeared, in which permissions apparently became set incorrectly not in system files generally, but in the user’s Home folder, and specifically in ~/Library/Preferences. To address this Apple added a new verb to the already complex command tool diskutil, resetUserPermissions, and described how to use this in a support note. It’s perhaps no coincidence that this new problem appeared at about the same time that cfprefsd took on the management of those preference files.
At that time, the following problems were attributed by Apple to incorrect permissions in ~/Library/Preferences:
Most if not all of those could be attributable to problems arising from bugs in cfprefsd.
Apple later changed its recommendations to include running a new tool repairHomePermissions in Recovery mode, then re-installing macOS. Shortly afterwards, in June 2020 when Big Sur was in beta, Apple withdrew that support note and all reference to repairing permissions, although the tool is still available in Recovery mode even on Apple silicon Macs.
Prior to macOS 10.14 Mojave, privacy protection had been limited and largely unobtrusive. We then began to discover that our favourite apps were being locked out of accessing files in many of our working folders.
Thus the era of adding apps to the Full Disk Access list started, and we came to curse the blessing of privacy protection.
Even better, Apple later added extended attributes that could prevent apps perfectly capable of editing documents from being able to save them just when we needed that most. And protected the extended attribute using SIP.
Maybe rebuilding the Desktop databases every couple of months wasn’t so bad after all?
Apple has just released an update to XProtect for all supported versions of macOS, bringing it to version 5300. As usual, Apple doesn’t release information about what security issues this update might add or change.
This version modifies an existing rule for MACOS.a6d7810, whatever that might be.
You can check whether this update has been installed by opening System Information via About This Mac, and selecting the Installations item under Software.
A full listing of security data file versions is given by SilentKnight and SystHist for El Capitan to Sequoia available from their product page. If your Mac hasn’t yet installed this update, you can force it using SilentKnight or at the command line.
If you want to install this as a named update in SilentKnight, its label is XProtectPlistConfigData_10_15-5300
This update has just been released for Sequoia via iCloud. If you want to check it manually, use the Terminal commandsudo xprotect check
then enter your admin password. If that returns version 5300 but your Mac still reports an older version is installed, you may be able to force the update usingsudo xprotect update
Updated 2215 10 June 2025 with iCloud release information.
As expected, Apple announced the next major version of macOS and its other operating systems, on the opening day of WWDC yesterday. This followed a disarming vision of Craig Federighi sporting a forest of grey hair and racing a Formula 1 car around the roof of Apple Park. Mercifully, that turned out to be a promotion for a new Apple TV+ production titled F1, rather than anything about to happen to macOS. And he didn’t crash.
Previews of each new OS were prefaced by the promise of “big announcements for all of our platforms”, and inevitably opened with plans for Apple Intelligence and Private Cloud Compute. Language support is going to be further extended, and additional new features are going to be announced later during this cycle. Perhaps most important is the news that third-party developers are to be given access to on-device Large Language Models (LLMs) through a Foundation Models Framework. This looks highly accessible, and it will be exciting to see what that enables.
As widely forecast, these new major versions bring a redesign intended to harness the power of Apple silicon, with a look dubbed Liquid Glass. This features layers of translucent controls that adapt to your actions, for example moving out of the way when scrolling. Although this is harmonised across devices, fears that macOS will be ‘dumbed down’ to resemble iOS appear unfounded. Indeed, iPadOS is steadily moving closer to macOS with a more Finder-like Files app, and iPads will at last be able to run background tasks.
Some features of Liquid Glass appear visually stunning, for example when providing 3D effects of depth in lock screen photos. Overall, from the little that has been shown so far, it looks impressive without being obtrusive or irritating. To get the best out of Liquid Glass, apps will need to be rebuilt against the improved API, and their appearance tuned lightly. Some special visual effects may need access to new API features, though.
To get the best out of this new look, icons need to be layered, and adapted for new appearance options including transparent. Apple has provided a new Icon Composer app to support that. Although I doubt whether it will become as popular as ResEdit was in Classic Mac OS, I can see Icon Composer being used more widely than the rest of Xcode.
Surprisingly, four Intel models continue to be supported by Tahoe. The full list given by Apple reads:
Although those Intel models will be able to use many of the new features in Tahoe, they continue to be unable to access any Apple Intelligence.
This means that Tahoe will continue to be a large Universal binary, and could in theory be supported by OCLP, although that’s likely to be more challenging. Apple has stated explicitly that Tahoe will be the last major version of macOS to support Intel Macs.
As rumoured, Apple has changed the numbering of all its OSes, bringing them in synchrony to version 26. This even applies to the new beta-release of Xcode for Tahoe.
Although that might come as a surprise to some code and scripts, because it’s a higher major version number than Sequoia this should present far fewer problems than did macOS 11 Big Sur. You might still like to check anything of yours that does check version numbers to ensure it doesn’t trip up.
In keeping with the redesign, improvements in folder and icon appearance were mentioned early. Easy folder customisation is coming, allowing the standard icon to be enhanced with the superimposition of symbols and emoji, and its colour changed. Icons can be tinted by the user, as well as being layered in Icon Composer.
Continuity features that integrate Macs with devices are being extended with support for Live Activities added to macOS. The Phone app will be added as well, in its improved form from iOS 26.
Shortcuts gains ‘intelligent’ actions, and will have direct access to LLMs in Private Cloud Compute. Spotlight has undergone a major update, but in Global Spotlight features rather than local search. From the Spotlight icon, there will be intelligent actions integrated with Shortcuts, quick keys abbreviations, and it will be contextually aware. To take advantage of these, third-party apps will need to use App Intents.
Games will be integrated into a new Games app, and gain translucent controls.
The powerful GPUs in Macs supported by Tahoe should also become more capable, with the introduction of Metal 4.
Finally, Tahoe is dropping full first run security checks on notarized apps, which should ensure they all launch blazingly fast. Although a few malicious apps have been inadvertently notarized in the past, running XProtect checks on them seem pointless, as the notarization process involves more extensive checks than those performed by XProtect. If malware has managed to sneak past Apple’s checks and become notarized, then nothing in macOS is going to detect it as being malicious.
Apple has already released the first developer beta-test version of Tahoe and its sister OSes. The first public beta is promised for July, and full release of macOS 26.0 is due in the fall/autumn.
I’ve already started testing my own apps.
I hope that you enjoyed Saturday’s Mac Riddles, episode 311. Here are my solutions to them.
Shines a beam of light (a spotlight) into files and the web (it searches both local files, and the web).
The detective (Sherlock Holmes, created by Sir Arthur Conan Doyle) who found for Apple (it became the Mac’s search tool) from 1998 (introduced in Mac OS 8.5 in 1998).
His faithful assistant (Dr Watson was Sherlock Holmes’ assistant) came from Karelia (developed by Karelia Software) and went to Java (after it was ‘sherlocked’ by Apple, it was ported to Java for Sun).
They have all been search tools popular on the Mac.
I look forward to your putting alternative cases.
Until now, LogUI has only been able to access the active log of your Mac, by reading it directly. There are occasions when you can’t do that, or want to preserve the log for future reference. You also can’t browse the log directly on any of Apple’s devices. In these cases, and others, the best solution is to make a logarchive, and browse that instead. I’m delighted to provide an update to LogUI that can browse logarchives, including those created in iOS, iPadOS, and on Apple’s other devices.
A logarchive is an undocumented package containing copies of all the files from the active log at the moment the logarchive was created. They can be opened and browsed by Console, Consolation 3, Ulbow, the log command tool, and now by LogUI. Because they contain all the files that make up the log, they can be large, and typically range in size from about 300 MB to over 1 GB. All the files containing log entries are stored in their original binary tracev3 format, proprietary to Apple, and again undocumented, although that format has been reversed in the past.
The easiest way to create a logarchive is to run a sysdiagnose, and that’s the standard way for saving a logarchive on one of Apple’s devices. Methods vary by device, and include:
Login
sudo sysdiagnose -f ~/Documents to save it to your Documents folder.sysdiagnose file will be made available in Settings > Privacy & Security > Analytics & Improvements > Analytics Data, from where you can transfer it to your Mac.Unpack the .tar.gz archive resulting from that, and you’ll find a system_logs.logarchive inside it.
On a Mac, you can instead use the log collect command to create a logarchive directly. For example,log collect --output ~/Documents/my.logarchive --last 5m
collects the last 5 minutes of log in the specified logarchive package. macOS security will block you from trying to save that logarchive on an external volume, though.
My free log browser Ulbow uses another method for assembling logarchives, and the next build of LogUI will incorporate that and other tools for working with logarchives.
This new build of LogUI has a seventh tool, to Use Logarchive. Click on that and you’ll be prompted to select the logarchive to open and browse.
Because the dates and times used in the logarchive will be different from current clock time, the LogUI window displays red warning text just to the left of the Start time. Set the date and time to a period within the scope of that logarchive, and use the Get Log tool as normal.
The log excerpt shown in the screenshot above is taken from the kernel boot sequence of my iPhone 15 Pro, to demonstrate how this all works.
If you want to return that window to browsing the active log, click on the Use Logarchive tool again, but this time cancel the selection. Other windows will of course continue to browse the active log unless you set them to use a logarchive as well.
Although browsing saved log entries in a logarchive is exactly the same as those of the active log, dates and times can be a pain. If you want to check when log files in a logarchive were written, use the Finder’s contextual menu to show their contents, scroll to the foot of the folders inside, select the Persist folder and check the file creation dates there.
This is made even easier in the forthcoming new build of LogUI, which features a Logarchive Tool to help you navigate logarchives, and learn which date and time ranges are appropriate.
LogUI 1.0 build 60 is now available from here: logui160
and from its Product Page.
I’ll be along with a new build in a few days, once I have tested and documented its Logarchive Tool. In the meantime, I hope you’ll find LogUI useful for studying the first beta-releases of Apple’s new operating systems.
Here are this weekend’s Mac riddles to entertain you through family time, shopping and recreation.
1: Shines a beam of light into files and the web.
2: The detective who found for Apple from 1998.
3: His faithful assistant came from Karelia and went to Java.
To help you cross-check your solutions, or confuse you further, there’s a common factor between them.
I’ll post my solutions first thing on Monday morning.
Please don’t post your solutions as comments here: it spoils it for others.
Apple has just released an update to XProtect for all supported versions of macOS, bringing it to version 5299. As usual, Apple doesn’t release information about what security issues this update might add or change.
This version adds three new rules, for MACOS_ODYSSEY_A, MACOS_ODYSSEY_B and MACOS_SOMA_M.
You can check whether this update has been installed by opening System Information via About This Mac, and selecting the Installations item under Software.
A full listing of security data file versions is given by SilentKnight and SystHist for El Capitan to Sequoia available from their product page. If your Mac hasn’t yet installed this update, you can force it using SilentKnight or at the command line.
If you want to install this as a named update in SilentKnight, its label is XProtectPlistConfigData_10_15-5299.
This update has now been released for Sequoia via iCloud. If you want to check it manually, use the Terminal commandsudo xprotect check
then enter your admin password. If that returns version 5299 but your Mac still reports an older version is installed, you may be able to force the update usingsudo xprotect update
Updated 1845 GMT 4 June 2025 with iCloud availability at last.
I hope that you enjoyed Saturday’s Mac Riddles, episode 310. Here are my solutions to them.
London to Pontarddulais (route of the M4 motorway in Britain) in Macs for six months (first shipped in Macs last November).
Jupiter’s flash (a thunderbolt) now reaches 80 (it offers 80 Gb/s transfer rates) for the Pros (it’s available in M4 Pro and Max chips).
Very long run (an ultra) from the Thames to Eastleigh (route of the M3 motorway in England, from Sunbury-on-Thames) came to the workshop in March (first available in the Mac Studio of March 2025).
They’re all new hardware in Macs released over the last six months or so.
I look forward to your putting alternative cases.
Here are this weekend’s Mac riddles to entertain you through family time, shopping and recreation.
1: London to Pontarddulais in Macs for six months.
2: Jupiter’s flash now reaches 80 for the Pros.
3: Very long run from the Thames to Eastleigh came to the workshop in March.
To help you cross-check your solutions, or confuse you further, there’s a common factor between them.
I’ll post my solutions first thing on Monday morning.
Please don’t post your solutions as comments here: it spoils it for others.
With strong rumours that Apple intends changing its version numbering system for the next major release of macOS and its other operating systems, it’s a good time to see how we got to macOS 15.
The first version of Classic Mac OS released with the original Macintosh 128K naturally came with System 1.0 and Finder 1.0. Within a few months, version numbering was already becoming confusing, when the successor System Software 0.1 had apparently started at 0.0, but the System itself had reached 1.1. This worsened when System Software 1.0 was released two years later, and came with System 3.1 and Finder 5.2.
Apple then adopted its first triplet numbering scheme that resembled modern Semantic Versioning in System 6.0 of June 1988. Over the following three years that worked its way steadily up to version 6.0.8, then handed over to System 7 on 13 May 1991 without any minor versions being released.
The first full use of the triplet numbering scheme came with System 7. That had four minor versions, 7.0, 7.1, 7.5 and 7.6, with each having patch releases such as 7.0.1 in between. This scheme followed the rules:
It was then that Apple started to release special versions of Mac OS to support new models, for example 7.1P5 for Performa models, complicating the numbering. This was even worse with System 7.1.2, which was only supplied with some early Power Macs and a few 68K Quadra models. That was accompanied by System 7.1.2P, a special version for models released around the time that Apple also released System 7.5, in September 1994.
System 7.5 brought a different numbering scheme to deal with exceptions. For example:
Fortunately, the remaining versions of Classic Mac OS were conventional in their numbering, until the last in Mac OS 9.2.2 in December 2001.
The public beta of Mac OS X introduced build numbers to supplement their triplet version numbering. At this time, the build number was based broadly on three components:
Triplet versions and build numbers were surprisingly well behaved until 2010, although separate build numbers were used during the transition from PowerPC to Intel architecture in Mac OS X 10.4 Tiger.
The first signs of complications came with Mac OS X 10.6.3, in March-April 2010, which came in three different builds and a v1.1, and 10.6.8 also had a v1.1 released a month after the original update. Mac OS X 10.7 Lion set a trend for a final Supplemental Update to 10.7.5, and frequent Security and Supplemental Updates became the rule by 2018, with macOS 10.12 Sierra and its successors.
By 2019, these updates had become uncontrollable. macOS 10.14 Mojave, for example, had three Supplemental Updates in the two months after its final release, named as 10.14.6 Supplemental Update, 10.14.6 Supplemental Update (a second time), and 10.14.6 Supplemental Update 2 (really 3).
The first version of macOS to support Apple silicon Macs, macOS 11 Big Sur, had been generally expected as macOS 10.16, but shortly before its announcement at WWDC in June 2020 the decision was made for it to become macOS 11, incrementing the major version number for the first time in almost 20 years. As that reset the minor version number from 15 to 0, there was the potential for chaos, as many scripts and much code had come to ignore the major version number, and to rely on the minor version to determine which release was running.
To cater for this, when those checked ProcessInfo.processInfo.operatingSystemVersion.minorVersion (or its equivalent), Big Sur identified itself as macOS 10.16. Apps ported to Xcode 12 used the 11.0 SDK; when they checked ProcessInfo.processInfo.operatingSystemVersion.minorVersion (or its equivalent), Big Sur identified itself as macOS 11.0. Those who relied on command tools were provided with a workaround, assw_vers -productVersion
returned 10.16 when running in Big Sur on an Intel Mac, but 11.0 on an Apple Silicon Mac.
This enabled Apple to return to a triplet scheme without the complications of Supplemental Updates or other vagaries. Each year’s major version of macOS has thus been x.0, with scheduled minor versions numbered from x.1 to x.5 or x.6, and intermediate patch releases (usually security updates) from x.x.1 upwards. At the end of its year as the current release of macOS, x.6 marked the start of its first year of security-only support, and x.7 for the second and final year. The exception to this has been Sonoma, which started its first year of security-only support with version 14.7, so its security updates have coincided in their minor and patch numbers with the older Ventura.
The only complication to this much clearer system was introduced in Ventura with Rapid Security Responses (RSRs). Those didn’t change the triplet version, as macOS proper remained unchanged, but added a letter to form, for example, macOS 13.4.1 (c). That proved clumsy, and when reflected in a resulting Safari version number it broke a lot of major websites that were unable to identify the browser version correctly. Since RSRs have fallen out of favour, this proved to be a passing phase.
When I wrote about the unexpected change in version numbering brought in Big Sur, I claimed that “no matter what Apple may eventually settle on, I shouldn’t have to change that again for many years.” I’m not sure that five counts as many, but here we go again.
Semantic Versions, SemVer
Apple package version numbering
Robservatory Mac OS X versions and release dates
System updates, including security data etc., since 2016
Searching for a file with a distinctive word in its name should be straightforward, but here I show some weird problems that could catch you out. I’m very grateful to Sam for drawing my attention to this, and welcome all and any rational explanations of what’s going on.
In some accounts of ancient Greek mythology, Cleta (Κλήτα) was one of the two Charites or Graces, alongside Phaenna. Her name apparently means renowned, and is still occasionally used as a first name today. It’s not the sort of word that should give Spotlight any cause for concern, and should prove easy to find.
To see the problems it can cause, create a folder somewhere accessible, in ~/Documents perhaps, and create half a dozen files with the names shown below.
Now open a new Finder window, and set it to Find mode using that command at the foot of the File menu. Then type into its search box the letters cleta
Only four of the files in that folder are found, excluding the first two, despite the fact that all their names clearly contain the search term.
Now clear the search box, and in the search criterion below, set it to find Name contains cleta, which you might have thought would be the same as the previous search.
Now all six files are found successfully.
You can try other variations of the file name to see which can be found using the search box, and which remain hidden. For example,1995z_spectacletable_01.txt
also appears susceptible to this problem, suggesting that other examples might have the form
[digits]_[chars]cleta[chars]_[digits].[extension]
There are some other oddities at work as well, that you can see in the four file names that haven’t yet played hide and seek. So far I’ve been using Spotlight to find file names that simply contain the characters cleta. Now extend that to cletapainting
While you would expect the second of those to appear, Spotlight has elided the hyphen embedded in the first, as if it wasn’t there. Although Spotlight doesn’t provide a simple way to search for discrete words in file names, that’s a feature readily accessible in several third-party search utilities, including Find Any File and HoudahSpot. If you use Spotlight much, both of those are essentials, and you may wish to add Alfred as well.
As expected, Find Any File has no problems in finding all six test files when looking for names containing cleta
Set it to find names containing the word cleta, though, and it recognises spaces, hyphens and underscore _ characters as word separators, but doesn’t oblige with CamelCase, whether or not you capitalise its initial character.
cleta in file names, as they can confuse Spotlight.My thanks again to Sam for providing me with the example of cleta that made this possible if apparently highly improbable.
Postscript
For those who think this all works as they expect, try the following file name:
1995z_star-post-office-cleta-hunt-portrait_01.txtA basic Mac system consists of the Mac itself and external storage for its backups, and is by far the most popular configuration. For many folk backing up the whole of its Data volume is wise, but that isn’t always the most economical. If the Data volume contains large items that don’t need to be backed up as often as its working folders, that can waste space. This article shows how you can make it more efficient without additional cost or hardware.
Most good backup utilities including Time Machine also make local snapshots of the volumes they back up. Let’s say your Data volume contains 100 GB of files that either change little or don’t need to be backed up as frequently as the rest. One proven strategy for minimising the time and storage required for backups is to add those to the exclusion list, and back them up separately, maybe only once a week. You can do that to another volume on external storage, provided you ensure there’s sufficient space for both that and your normal automatic backups.
What that doesn’t do is keep those 100 GB out of the frequent snapshots made of the Data volume. While you can exclude files and folders from backups, snapshots always include everything in that volume, without exclusions. The only way to save the space they add to snapshot size is to move them to another volume that doesn’t get snapshots made of it. But your Mac’s standard disk layout doesn’t provide any spare volume for that.
This could apply to all sorts of relatively static data that doesn’t need Time Machine’s automatic hourly backups, including Virtual Machines and some large media libraries, although you won’t then be able to share these in iCloud Drive, which would require them to be in your Data volume.
Standard layout of the internal SSD of an Apple silicon Mac running Sequoia or earlier is shown below.
Intel Macs have the same Apple APFS container with the Boot Volume Group in it, but the other two containers are replaced by a single small EFI partition.
Adding another partition or container is possible, but not recommended as it has a fixed size, and lacks the flexibility of a volume. It also risks disturbing the three existing partitions/containers. As they’re essential for the Mac to start up successfully, you don’t want to meddle with them.
In practice, the best place to add a new volume is inside the third container, the one already holding the System and Data volumes. Add that in Disk Utility once you’ve decided the next two steps.
Your new volume is going to share space in its container with all the existing volumes, including both System and Data. It’s usually wise to impose a maximum limit on the size it can grow to, to avoid compromising any of those. When you add the new volume, put a sensible limit on its Quota Size.
Although Apple’s documentation isn’t explicit, volumes added to the boot container aren’t protected by FileVault, unlike the Data volume. If you want your extra volume to be encrypted, you’ll have to format it in APFS (Encrypted). Whether that’s accelerated by the hardware in the Secure Enclave isn’t clear, and on Apple silicon Macs it’s hard to tell the difference, as you should get similar full speed performance from your extra volume to that of the Data volume.
Open Disk Utility, ensure its View options are set to Show All Devices, then select the Container holding the boot volumes. Click the + tool to add the new volume.
Give the volume a name, then click on the Size Options… button.
Enter your chosen Quota Size, as the maximum you want to allow the extra volume to use on the boot SSD, and click OK.
Then select whether you want it formatted in plain APFS, or encrypted, and click the Add button.
If you’ve opted for APFS (Encrypted) you’ll then be prompted to enter the encryption password. Unlike FileVault, there’s no option for a Recovery Key, or for iCloud Recovery.
When you first unlock the extra volume, you’ll be given the option to save its password to your keychain. That confirms this isn’t being performed by FileVault, as that protects its encryption keys in the Secure Enclave.
There are a couple of quirks:
