Apple has just released an update to XProtect for all supported versions of macOS, bringing it to version 5310. As usual, Apple doesn’t release information about what security issues this update might add or change.
This version adds a single new detection rule for MACOS.SOMA.AUENA, further extending its coverage of Soma/Amos.
You can check whether this update has been installed by opening System Information via About This Mac, and selecting the Installations item under Software.
A full listing of security data file versions is given by SilentKnight and SystHist for El Capitan to Tahoe available from their product page. If your Mac hasn’t yet installed this update, you can force it using SilentKnight or at the command line.
If you want to install this as a named update in SilentKnight, its label is XProtectPlistConfigData_10_15-5310
Sequoia systems only
This update has already been released for Sequoia via iCloud. If you want to check it manually, use the Terminal command sudo xprotect check
then enter your admin password. If that returns version 5310 but your Mac still reports an older version is installed, you may be able to force the update using sudo xprotect update
Apple has just released updates to XProtect for all supported versions of macOS, bringing it to version 5309, and to XProtect Remediator for all macOS from Catalina onwards, to version 153. As usual, Apple doesn’t release information about what security issues these updates might add or change.
Yara definitions in this version of XProtect add a single new detection rule for MACOS.SOMA.JUENB, part of the Soma/Amos family.
XProtect Remediator doesn’t change the list of scanner modules.
There are extensive changes to the Bastion rules, which add a new definition for common system binaries, extend Rule 1 coverage to include support folders for more browsers, tweak Rules 3 and 14-17, and add new Rules 18-24.
You can check whether these updates have been installed by opening System Information via About This Mac, and selecting the Installations item under Software.
A full listing of security data file versions is given by SilentKnight and SystHist for El Capitan to Tahoe available from their product page. If your Mac hasn’t yet installed this update, you can force it using SilentKnight or at the command line.
If you want to install these as named updates in SilentKnight, their labels are XProtectPayloads_10_15-153 and XProtectPlistConfigData_10_15-5309.
Sequoia and Tahoe systems only
The XProtect update has already been released for Sequoia and Tahoe via iCloud. If you want to check it manually, use the Terminal command sudo xprotect check
then enter your admin password. If that returns version 5304 but your Mac still reports an older version is installed, you may be able to force the update using sudo xprotect update
I hope that you enjoyed Saturday’s Mac Riddles, episode 319. Here are my solutions to them.
1: Successor to 3 inside a scheme was part of a popular atelier.
Click for a solution
InDesign
Successor to 3 (Adobe developed it to replace the ailing PageMaker) inside (in) a scheme (a design) was part of a popular atelier (for many years it was one of the leading apps in Adobe’s Creative Studio).
2: High speed subatomic particle took the lead in the 1990s.
Click for a solution
QuarkXPress
High speed (express) subatomic particle (a quark) took the lead in the 1990s (by the mid-1990s it had taken around 90% of the desktop publishing market on Macs).
3: Creator of a squire’s assistant was the first, but died before Mac OS X.
Click for a solution
PageMaker
Creator (maker) of a squire’s assistant (a page) was the first (released in July 1985 for the Mac), but died before Mac OS X (by 2000, it was moribund as Adobe was replacing it with InDesign, released in 1999, and it was never ported to Mac OS X).
The common factor
Click for a solution
They have all been leading desktop publishing apps for Macs.
This week’s dive into RunningBoard tackles one of the central questions: this subsystem repeatedly uses the term assertion, but what are these assertions, and how does RunningBoard handle them?
In computing, assertions may have their origin in hardware verification languages like Verilog, where they’re used to state required conditions in declarative form. They appear to have entered macOS through the background service assertiond, which made a name for itself as a killer of processes and apps. Power assertions have been noted in the log and elsewhere for at least the last decade, and are mentioned in IOPMLib, part of IOKit. Since macOS Catalina, assertions have been at the centre of RunningBoard, which remains essentially undocumented.
Developer app
To get a better idea of how assertions are used, I launched Apple’s Developer app on a Mac mini M4 Pro running macOS 15.5, and followed log entries for a period of over 14 seconds from the start of the launch process. Although RunningBoard’s job description records this app’s platform as 6, typical of a Catalyst app, in other log entries it’s claimed not to be a Catalyst app.
At an arbitrary start time of 01.126 seconds, LaunchServices decided to launch this app initially through CoreServicesUIAgent, which 0.04 seconds later requested RunningBoard to execute the launch request. This eventually led to a connection being initialised to FrontBoard Scene Manager, where the app was registered as a new scene, and activated.
Example assertion
FrontBoard set the process visibility to Foreground: 01.593239 com.apple.FrontBoard [app<application.developer.apple.wwdc-Release.9312198.9312203~>:2946] Setting process visibility to: Foreground
RunningBoard then announced it was acquiring a new assertion, giving its descriptor and the PID of the target process 01.593248 com.apple.runningboard Acquiring assertion: <RBSAssertionDescriptor| "com.apple.frontboard.after-life.subordinate" ID:(null) target:2946>
01.593288 com.apple.runningboard PERF: Received request from [osservice<com.apple.uikitsystemapp(501)>:748] (euid 501, auid 501) (persona (null)): acquireAssertionWithDescriptor:error:
01.593289 runningboardd acquireAssertionWithDescriptor
A fuller description followed, including the RunningBoard ID, and the attributes of the assertion 01.593324 com.apple.runningboard Acquiring assertion targeting [app<application.developer.apple.wwdc-Release.9312198.9312203(501)>:2946] from originator [osservice<com.apple.uikitsystemapp(501)>:748] with description <RBSAssertionDescriptor| "com.apple.frontboard.after-life.subordinate" ID:424-748-2228 target:2946 attributes:[
<RBSDomainAttribute| domain:"com.apple.frontboard" name:"AfterLife-Subordinate" sourceEnvironment:"(null)">
]>
This assertion was made active, and RunningBoard stated how many assertions were currently targeting that process 01.593343 com.apple.runningboard Assertion 424-748-2228 (target:[app<application.developer.apple.wwdc-Release.9312198.9312203(501)>:2946]) will be created as active
01.593389 com.apple.runningboard app<application.developer.apple.wwdc-Release.9312198.9312203(501)> is now targeted by 11 assertions
That triggered a state update for the process 01.593400 runningboardd state update
In this case, RunningBoard couldn’t do anything, so left the process’s assertions as they were 01.593461 com.apple.runningboard _checkForSuspendableAssertionCycle for app<application.developer.apple.wwdc-Release.9312198.9312203(501)> bailing out since it's not holding a suspendable assertion
01.593466 com.apple.runningboard Removing 0 assertions
This did, though, alter the inheritance of existing assertions 01.593556 com.apple.runningboard Process: [app<application.developer.apple.wwdc-Release.9312198.9312203(501)>:2946] has changes in inheritances: {(
<RBSInheritance| environment:(none) name:com.apple.launchservices.userfacing origID:424-391-2215 0>,
<RBSInheritance| environment:(none) name:com.apple.launchservices.userfacing origID:424-391-2215 0>,
<RBSInheritance| environment:(none) name:com.apple.launchservices.userfacing origID:424-391-2214 0>,
<RBSInheritance| environment:(none) name:com.apple.frontboard.visibility origID:424-420-2216 0>
)}
This completed the acquisition of this assertion, and the process’s new state was calculated 01.593564 com.apple.runningboard Finished acquiring assertion 424-748-2228 (target:[app<application.developer.apple.wwdc-Release.9312198.9312203(501)>:2946])
01.593741 com.apple.runningboard Calculated state for app<application.developer.apple.wwdc-Release.9312198.9312203(501)>: running-active (role: UserInteractiveFocal) (endowments: <private>)
This was all accomplished in around 0.0005 seconds. FrontBoard then continued processing the app’s scene 01.593743 com.apple.FrontBoard Ingesting properties from UIApplicationSceneSettings...
RunningBoard assertion numbers are of the form 424-748-2228, where the second group 748 is the PID of the source of the assertion, and the third group 2228 is a sequential number.
Assertions recorded
Assertion 424-620-2211 for LaunchServices to launch the app. For this, RunningBoard created its job description with its process ID of 2946, assigned it memory limits, stated the process will be managed, and stated it was running-active with a role of UserInteractive.
Assertion 424-424-2212 RunningBoard Underlying Assertion. RunningBoard stated the process will be created as active, calculated its processStartTime, created a new RunningBoard Coalition with an ID of 4460, set its Jetsam priority to 0 (the lowest priority over memory use), and set its Darwin GPU to “deny”. Its state was given as running-interactive-NotVisible with a taskState of 4.
Assertion 424-391-2213 foregroundApp 2946. This changed its role to UserInteractiveNonFocal, and was repeated in assertion 424-391-2214.
Assertion 424-391-2215 frontmost 2946. RunningBoard changed it to running-active-NotVisible, with a Jetsam priority of 100 (extremely unlikely to be killed to free memory), and Darwin GPU to “allow”.
Assertion 424-391-2217 LaunchServices notification. It was changed to running-active with a role of UserInteractiveFocal, handshaking took place with the process, and the launch request was recorded. Slightly later, RunningBoard announced it had started “death monitoring” of the process, in case its launch request was denied and the process was killed.
Assertion 424-748-2218 FrontBoard Bootstrap Background. Following this, the process acquired its first power assertion ID 34241, outside of RunningBoard.
Assertion 424-655-2220 File Coordination Claim, the first of a series of five similar assertions. For each, RunningBoard recorded Prevent Task Suspend, Prevent Task Throttle Down. After the last it checked for a Suspendable Assertion Cycle, then removed several assertions held for the process.
Assertion 424-2946-2227 App Nap adapter assertion. RunningBoard then enabled and configured AppNap for the process, and set the AppNap state.
Assertion 424-748-2228 FrontBoard AfterLife-Subordinate. This is the assertion detailed above.
Assertion 424-748-2229 FrontBoard Visibility Workspace Foreground Focal. With this, RunningBoard set the process to running-active-Visible with taskState 4.
Assertion 424-420-2230 App Drawing. Following that, storekitagent was running as PID 2947, accompanying the Developer app.
Assertion 424-2946-2232 CFNetwork StorageDB.
Assertion 424-2946-2233 System Animation Fence.
Assertion 424-420-2234 App Visible. Following that, uikitsystemapp was drawing, presumably for the Developer app.
Assertion 424-420-2236 FuseBoard Process Window State Visible.
Assertion 424-2946-2238 system animation fence, which was repeated a total of five times.
Assertion 424-2946-2244 Shared Background Assertion 1, following which were two more assertions for system animation fence.
Assertion 424-655-2248 File coordination claim, repeated in Assertion 424-655-2250.
All these assertions were completed in 14 seconds.
Reading RunningBoard
As shown in the series of assertions recorded in the log for the Developer app, RunningBoard provides a detailed account of milestones through the launch and early running of this app, covering much other than its security and TCC activity.
This starts with a job description containing a great deal of useful information about the app, when it’s neither visible nor focal. At that stage it’s given a minimal Jetsam priority, putting it in the front line to be forcibly quit if memory was short, and it’s denied access to the GPU. As launch proceeds, its Jetsam priority is raised to 100 and it’s allowed GPU access. Its role is then changed to UserInteractiveFocal, its window management is handled by FrontBoard and it becomes visible, and able to undergo AppNap. Two supporting services are engaged, storekitagent to handle its data, and uikitsystemapp to draw its interface.
Once the novelty of RunningBoard had worn off, I had come to consider its incessant chatter in the log as a distraction. However, a log extract obtained with the subsystem set to com.apple.runningboard provides a detailed account of events during an app’s life cycle, without the nuisance of privacy censorship, or the app having to make its own log entries.
Key points for close reading of the log
Set a predicate for obtaining log entries for the com.apple.runningboard subsystem, and initially filter entries on Acquiring assertion in the Messages field.
Identify the Process ID of interest.
Track assertion descriptions, giving the reason for each assertion.
Note assertion IDs, and interpret them with the aid of the PID given in their second number field.
Follow assertions for linked processes through their PIDs.
Apple has just released an update to XProtect for all supported versions of macOS, bringing it to version 5305. As usual, Apple doesn’t release information about what security issues this update might add or change.
This version adds a single new rule for MACOS.SOMA.JLEN, part of the Amos/Soma family of malware.
You can check whether this update has been installed by opening System Information via About This Mac, and selecting the Installations item under Software.
A full listing of security data file versions is given by SilentKnight and SystHist for El Capitan to Tahoe available from their product page. If your Mac hasn’t yet installed this update, you can force it using SilentKnight or at the command line.
If you want to install this as a named update in SilentKnight, its label is XProtectPlistConfigData_10_15-5305
Sequoia systems only
This update has already been released for Sequoia via iCloud. If you want to check it manually, use the Terminal command sudo xprotect check
then enter your admin password. If that returns version 5305 but your Mac still reports an older version is installed, you may be able to force the update using sudo xprotect update
I hope that you enjoyed Saturday’s Mac Riddles, episode 316. Here are my solutions to them.
1: From PageRank and 10^100 to a set of letters.
Click for a solution
Google
From PageRank (Google Search was founded on the patented PageRank algorithm for ranking search results) and 10^100 (its name is derived from the very large number googol, 10 to the power of 100) to a set of letters (in 2015 it restructured under the ownership of Alphabet Inc.).
2: A hooligan went from directory to search then declined into finance and news.
Click for a solution
Yahoo!
A hooligan (a yahoo) went from directory (it started as a curated web directory) to search (followed by a search engine) then declined into finance and news (what now remains).
3: After changing name three times, this directory has gone wavy.
Click for a solution
DMOZ
After changing name three times (originally GnuHoo, it then became NewHoo, almost ZURL, next Open Directory Project, before becoming DMOZ), this directory (it was a human-curated web directory) has gone wavy (DMOZ was superseded by Curlie in 2018).
This week’s security data updates were quite a surprise. We’ve grown accustomed to Apple tweaking XProtect’s data most weeks, but this week was a bit different, and came with an update to XProtect Remediator as well, the first in four months. This article explores what they have brought.
Although this security data all goes under the name of XProtect, there are three different protection systems involved.
The traditional XProtect contains a set of ‘Yara’ rules used when performing Gatekeeper scans of new executable code, most notably when a quarantined app is first run, although recent macOS also runs XProtect checks on other occasions. Those rules are used to determine whether the code being scanned is known to be malicious, and if it’s found to be positive, macOS refuses to run that code and you’re told to trash the app.
XProtect Remediator only runs in Catalina and later, where it performs daily background scans to detect and remove software it believes to be malicious. It currently contains 24 separate scanning modules, each designed to detect and ‘remediate’ a different family of malware. Some of its modules also use the detection rules in traditional XProtect, so are improved by regular XProtect data updates. Surprisingly, if XProtect Remediator detects and removes malware, you aren’t notified, although that is recorded in the log and reported as an Endpoint Security event that can be detected by some third-party security software.
Inside the XProtect Remediator app are two files used by the third XProtect, which detects potentially malicious activity such as tampering with parts of a browser’s files. This is therefore referred to as XProtect Behavioural, or by the name it gives to the detection rules it uses, Bastion. Unlike the other two XProtects, this doesn’t rely on performing static checks, but is watching constantly for malicious activity. Although it records that in its local database, at present it doesn’t inform the user, but reports the activity to Apple, to help it acquire intelligence to improve the battle against malware.
XProtect
XProtect version 5304, provided by Apple on 8 July, makes substantial changes to its Yara detection rules to add what appears to be a new family of malware, code-named Bonzai. New rules refer to five different forms, which are most likely to be different components in the same malware, or separate variants, named Bonanza, Barricade, Blaster, Bonder and Banana. It’s likely that independent security researchers will identify these in the coming days, but for the moment the public name of this malware isn’t known.
Looking through these new Yara rules, they look most likely to be for a ‘stealer’, a type of malware that’s currently prevalent, and steals your secrets to send them to a remote server. There are references to Chrome, Brave, Edge and Firefox extensions, and most interestingly some of the malware has been compiled from code written in the Go language, which is becoming popular in cross-platform malicious code.
The last times that Apple added detection rules as substantial as these were in XProtect version 5284 for Adload and Bundlore, and in 5269 for Dolittle, each being major threats.
Bastion
Until now, the behavioural rules used by Bastion have evolved steadily, and the most rules added in one release has only been two, when XProtect Remediator version 123 came with rules 8 and 9, and changes to rule 7, back in January 2023. This update brings four new rules:
Rule 14 detects sending AppleEvents to Safari, Firefox or Chrome.
Rule 15 detects sending AppleEvents to the Finder or Terminal.
Rule 16 detects Mach lookups for com.apple.pasteboard.1.
Rule 17 detects writing shell files hidden in ~/ or /etc, such as ~/.zlogin, or /etc/zlogin.
The first two may be intended to detect AppleScript being used to control those browsers, the Finder or to run scripts in Terminal. Rule 16 may also be related to Apple’s recent announcement on controlling access to the pasteboard in macOS 26. Rule 17 concerns settings files commonly used by command shells, readily seen if you reveal hidden files for your Home folder.
These may well be related to Bonzai, and enable Apple to get a better idea of what is going on out here in the wild, and focus its efforts in improving its detection.
XProtect Remediator
Once samples of malware have been obtained, developing and testing new Yara rules to detect it is relatively quick, and often uses AI to accelerate the process. Writing a new scanning module for XProtect Remediator is more complicated, and takes more time. It may well be that an additional Bonzai scanner is already on its way, and might be delivered in a further update in the next couple of weeks, perhaps with some fine-tuning of the new Bastion rules. I’ll be keeping a lookout for those.
Above all, it will be interesting to see what changes are made in third-party security software, and how well those tackle what appears to be novel malware for macOS.
As Macs are computers, when they become overloaded with demands on their resources, they can slow down to a crawl. When Apple was developing its first iPhone it realised that wouldn’t work with a phone, so built safeguarding systems into iOS to ensure their continuing smooth function. When Apple was preparing for the transition from Intel Macs to using its own chips, it decided to bring similar safeguards to the management of their resources. These arrived in macOS 10.15 Catalina with the introduction of RunningBoard.
Launching apps in macOS had become increasingly complex, and required more than just running the executable using launchd. For an app to have its GUI, the code it uses has to be wired up with parts of macOS that run the GUI such as WindowServer. When it’s launched, its window(s) have to be created and brought into focus, in front of other windows. It needs its preference file opened, to be added to the Recent Items list, and for a list of its recently opened documents to be made available to its Open Recent menu command. Those latter services have been provided by LaunchServices, and to enable them it maintains a database of exhaustive details about every app it knows.
Prior to Catalina, it was LaunchServices that coordinated many of these aspects of launching an app from the Finder. Since then it has been handing more over to RunningBoard, while retaining many of its functions. RunningBoard has come to monitor and manage the entire life cycle of apps, from launch to exit. For regular macOS apps, its life cycle management remains supervisory, but for some, including Catalyst apps and those built for iPadOS, RunningBoard can manage and control their allocation of resources such as memory and access to the GPU.
As one of the newer and more pervasive services in macOS, RunningBoard writes a lot of detail in the log, indeed it’s garrulous almost to the point of excess. Although Apple documents almost nothing about its background service runningboardd except stating that it’s “a daemon that manages process assertions to ensure those processes are kept in the appropriate state while assertions are in effect”, and its information about LaunchServices is terse and largely deprecated, we can learn a great deal from the log.
I’ll start this series of articles by explaining how RunningBoard first gets involved in launching an application. I have recently summarised its key stages in the following diagram.
Here, for the sake of simplicity, I’m going to ignore the security side completely, so we’ll assume this app isn’t quarantined, has been run recently in this session, is notarised, and hasn’t changed its CDHashes since it was last run.
As soon as LaunchServices is informed of the action to open the app, it announces it will be launched through RunningBoard, a change from its previous behaviour in Catalina, where LaunchServices did more of the work at the start of the launch process. RunningBoard receives the launch request from CoreServices, and ‘acquires’ an ‘assertion’ targeting the app, with a description to launch the app in a User Interactive role.
RunningBoard works using these assertions, a type of declaration of an intention or intended event. Its next major task is to create a job description, which it helpfully writes to the log as a dictionary. This is a mine of useful information, and has replaced the copious data compiled by LaunchServices in the past. This includes:
a dictionary of Mach services
whether Pressured Exit is enabled
a full listing of environment variables, such as TMPDIR, SHELL, PATH
RunningBoard properties including another TMPDIR
whether to materialise dataless files.
A full example is given in the Appendix at the end. If you ever want to obtain a similar summary for an app, just launch it and inspect log entries from the com.apple.runningboard subsystem for the first second or two after launch.
Shortly after that launchd announces that it will start (spawn) the app, and the user ID (UID) is obtained by OpenDirectory, confirming that ‘divined’ earlier by RunningBoard. This allows launchd to complete spawning the app, and RunningBoard to decide whether it will be managed, in terms of memory and other resources. RunningBoard goes through further preparations before declaring whether the process is subject to GPU, CPU or memory limits.
LaunchServices creates the ‘pending’ application, and a new LSApplication object for it. But it also expects the imminent death of the app, in two entries that might appear surprising: com.apple.launchservices DEATH: Expecting to hear about the death of app App:"AsmAttic" asn:0x0-5b05b pid:3083 refs=4 @ 0x55402ae00, adding to sRunningBoardDeathNotificationsSetRef (pid=3083}.
com.apple.launchservices DEATH: Listening for death via runningboard notification for pending application, pid=3083.
Its fears are unfounded, though, and RunningBoard continues to receive assertions as the launch proceeds. Eventually you should see log entries confirming success: com.apple.launchservices LAUNCH: Starting application with ASN 0x0-0x5b05b co.eclecticlight.AsmAttic because it was launched and still stopped.
com.apple.processmanager LAUNCH: 0x0-0x5b05b co.eclecticlight.AsmAttic starting stopped process.
com.apple.launchservices LAUNCH: Sending 0x0-0x5b05b 3083 co.eclecticlight.AsmAttic a SIGCONT to get process started ( it was launched in the stopped state )
This is the cue for launchd to ‘uncork’ the executable and create the process launchd pid/3083 [AsmAttic] uncorking exec source upfront
launchd pid/3083 [AsmAttic] created
After that, you should see log entries from the app at last, retrieving the UID and loading its preferences AsmAttic Retrieve User by ID
AsmAttic Loading Preferences From User CFPrefsD
Key points
RunningBoard monitors and may manage the life cycle of apps, from launch to exit, and does so by acquiring assertions about the app’s status.
RunningBoard now plays an active part in app launch, and fills the log with its entries.
Soon after the start of the launch process, its job description is a mine of useful information about the app being launched.
It’s normal for app launch entries to expect the app’s imminent death before it’s launched successfully.
Don’t be surprised or concerned to see RunningBoard mentioned in early crash reports.
Apple has just released updates to XProtect for all supported versions of macOS, bringing it to version 5304, and to XProtect Remediator for all macOS from Catalina onwards, to version 152. As usual, Apple doesn’t release information about what security issues these updates might add or change.
Yara definitions in this version of XProtect add two private rules for Shebang, to match shell scripts by ‘shebang’, and _golang_macho, to match machos compiled by Golang. There are also 19 new rules for a novel family of what appear to be stealers based on the name BONZAI, including MACOS.BONZAIBONANZA.AUTO, MACOS.BONZAIBONANZA.TAAP, MACOS.BONZAIBONANZA.TAFI, MACOS.BONZAIBONANZA.VACA, MACOS.BONZAIBONANZA.VASN, MACOS.BONZAIBONANZA.FU, MACOS.BONZAIBONANZA.SC, MACOS.BONZAIBARRICADE.PE, MACOS.BONZAIBARRICADE.PA, MACOS.BONZAIBARRICADE.KE, MACOS.BONZAIBLASTER.FU, MACOS.BONZAIBLASTER, MACOS.BONZAIBLASTER.TA, MACOS.BONZAIBONDER.SO, MACOS.BONZAIBONDER.PE, MACOS.BONZAIBONDER.TEPL, MACOS.BONZAIBONDER.LA, MACOS.BONZAIBONDER.FU, and MACOS.BONZAIBANANA.
XProtect Remediator doesn’t change the list of scanner modules.
There are changes to the list of Bastion rule 2 paths, and four new Bastion rules 14-17. These cover sending AppleEvents to browsers, the Finder and Terminal, mach-lookup for com.apple.pasteboard.1, and writing to a long list of shell-related hidden directories in the user’s Home folder.
These are probably the greatest changes to XProtect’s Yara rules and Bastion rules for more than a year.
You can check whether these updates have been installed by opening System Information via About This Mac, and selecting the Installations item under Software.
A full listing of security data file versions is given by SilentKnight and SystHist for El Capitan to Tahoe available from their product page. If your Mac hasn’t yet installed this update, you can force it using SilentKnight or at the command line.
If you want to install these as named updates in SilentKnight, their labels are XProtectPayloads_10_15-152 and XProtectPlistConfigData_10_15-5304.
Sequoia and Tahoe systems only
The XProtect update has already been released for Sequoia and Tahoe via iCloud. If you want to check it manually, use the Terminal command sudo xprotect check
then enter your admin password. If that returns version 5304 but your Mac still reports an older version is installed, you may be able to force the update using sudo xprotect update
又在网上看到了 18-19 款的 MacBook Pro 下半身,想着有 4K 显示器了可以高一个来玩玩,预计又要花费 1500 左右。
这么一折腾的话目前家里的台式主机花了 600 ,显示器 1400,笔记本 3600,准备更新的配置的台式机预计花费 700,苹果无头骑士 1500,这样算下来我就得到了一台性能将就的 PC 机,1.5 台 Mac 电脑,总计将会花费 8000。
眼看着购物车里的东西越来越多,回过头来我只是想有个能移动处理工作的笔记本和同时能把熊孩子平时的照片视频素材剪到一起的工具而已。更何况都还没有用现有的设备尝试能不能完成自己的需求,因为下载好的“剪映”软件图标下到现在都还有个小蓝点(还没打开过),淘宝买的共享 ID 下载的 FCPX 也同样没有打开过(还没用过就不算用盗版吧)。
I hope that you enjoyed Saturday’s Mac Riddles, episode 315. Here are my solutions to them.
1: It came with a tumbler from Camelot in 1993, then opened in 2008.
Click for a solution
PDF
It came with a tumbler (an acrobat) from Camelot (its original internal name) in 1993 (first released on 15 June 1993), then opened in 2008 (when it was adopted as an open ISO standard).
2: Replacement for 3 to avoid royalties with transparency has just turned three.
Click for a solution
PNG
Replacement for 3 (it was developed by Thomas Boutell and others to replace GIFs) to avoid royalties (those were imposed on GIFs because of their use of LZW compression) with transparency (it supports a transparency layer) has just turned three (its latest version 3.0 was released in June this year).
3: CompuServe animated its palette with 256 colours but we still can’t agree how to say it.
Click for a solution
GIF
CompuServe (released by CompuServe in 1987) animated (it supports animated images) its palette with 256 colours (it only supports palettes with 256 colours) but we still can’t agree how to say it (there has been a long-running dispute as to whether its ‘g’ is hard like ‘gift’ or soft like ‘gin’).
The common factor
Click for a solution
They were each intended to be portable, universal file formats.
From its first announcement of Apple silicon Macs on 22 June 2020, there has been speculation as to when support of Intel models will cease. Now Apple has given exceptionally clear details of its future intentions, and we have a clearer idea of what’s coming in macOS Tahoe, we can make plans at last. This article looks at the years ahead. In each case, major events are scheduled to occur with the annual transition of macOS to the next major version, normally in September-October.
2025
Final security update for macOS 13 Ventura, ending support for:
iMac 18,1-3
MacBook 10,1
MacBook Pro 14,1-3.
If you’re still running Ventura on a Mac capable of Sonoma or later, now is the time to plan the upgrade.
2026
Final security update for macOS 14 Sonoma, ending support for:
MacBook Air 8,1-2.
First release of an Arm-only version of macOS, 27. However, that and all its updates will continue to include full support for running Intel binaries using Rosetta 2 translation. macOS 27 will be the last major version that supports Rosetta 2 fully in Virtual Machines.
2027
Final security update for macOS 15 Sequoia, ending support for:
iMac 19,1-2
iMac Pro
Mac mini 8,1
MacBook Air 9,1
MacBook Pro 15,1-4 16,3.
First release of macOS 28, with full Rosetta 2 support removed. Limited Intel binary support will continue for “older unmaintained gaming titles” only. As a result, virtual machines running macOS 28 will no longer be able to run most Intel binaries.
2028
Final security update for macOS 26 Tahoe, ending support for all remaining Intel models:
iMac 20,1-2
Mac Pro 7,1
MacBook Pro 16,1-2 16,4.
T2 firmware updates are almost certain to cease with the end of support for macOS 26. Major third-party vendors are likely to stop providing Universal binaries, as they too drop support for macOS 26 and Intel models. Apple may decide to remove x86 support from Xcode 29, but hasn’t yet made any statement either way.
Benefits of upgrading macOS in Intel models
Although macOS Sequoia and Tahoe have brought some new features for Intel Macs, much of Apple’s emphasis now requires Arm systems. Major reasons for upgrading your Intel Mac to the most recent version of macOS it can run include:
Third-party support. Major software vendors like Microsoft normally only support their products on versions of macOS still supported by Apple.
Safari is only updated in supported versions of macOS.
Bug fixes. Although new versions bring their own bugs, the chances of an existing bug being fixed in the current release of macOS are far greater than it being fixed in an older version.
Security vulnerabilities. Only the current version of macOS gets a full set of fixes in each round of security updates, and the older two supported versions often lag the current one.
Enhancements. Some new features are still provided for both platforms.
Compatibility. If you already use Apple silicon Macs, or intend doing so, they are more compatible when running the same version of macOS. One topical example is Tahoe’s new ASIF disk image format.
Quantum-secure encryption. Apple has already started to transition to cryptographic techniques designed to remain secure as and when quantum computers are used in the future to break older methods. This started with iMessage last year, and Apple has announced that macOS 26 Tahoe will support quantum-secure encryption in TLS. This is unlikely to be added retrospectively to older versions of macOS.
I hope you find that helpful in your planning, and wish you success in whatever you choose.
Apple has just released an update to XProtect for all supported versions of macOS, bringing it to version 5303. As usual, Apple doesn’t release information about what security issues this update might add or change.
This version adds two new rules, for MACOS_SOMA_JUEN and MACOS_SOMA_LLJU, continuing to extend its coverage of the Amos/Soma family of malware.
You can check whether this update has been installed by opening System Information via About This Mac, and selecting the Installations item under Software.
A full listing of security data file versions is given by SilentKnight and SystHist for El Capitan to Tahoe available from their product page. If your Mac hasn’t yet installed this update, you can force it using SilentKnight or at the command line.
If you want to install this as a named update in SilentKnight, its label is XProtectPlistConfigData_10_15-5303
Sequoia systems only
This update has just now been released for Sequoia via iCloud. If you want to check it manually, use the Terminal command sudo xprotect check
then enter your admin password. If that returns version 5303 but your Mac still reports an older version is installed, you may be able to force the update using sudo xprotect update
I hope that you enjoyed Saturday’s Mac Riddles, episode 314. Here are my solutions to them.
1: Expedition for a panther now in visionOS too.
Click for a solution
Safari
Expedition (a safari) for a panther (it was first bundled with Mac OS X Panther in 2003) now in visionOS too (it’s now bundled in visionOS).
2: Polished plate is now 1’s most serious competitor.
Click for a solution
Chrome
Polished plate (chrome) is now 1’s most serious competitor (on Apple’s platforms, it is Safari’s main competitor).
3: Web pet only lasted a year before the exploder.
Click for a solution
Cyberdog
Web (cyber) pet (dog) only lasted a year before the exploder (released in 1996, it was dropped the following year, for Microsoft Internet Explorer to become the bundled web browser in Mac OS X).
Although taken for granted now, Apple didn’t release the first version of Safari until January 2003. Before that was a succession of interesting experiments to try. Those started with Netscape Navigator in 1994, which lasted until 2007, although by then it was little used on Macs.
Netscape is seen here in 2000, following my successful purchase of downloadable versions of Conflict Catcher and Suitcase from Casady & Greene’s online store.
Two years later, and I’m browsing Amazon’s listing of my never-published book that was slated for 31 March the following year. I’m so glad I never pre-ordered it.
Netscape had been at the front of browser development, leading with on-the-fly page display, cookies and JavaScript. But in 1996, it was challenged by Microsoft’s Internet Explorer, and Apple’s more innovative Cyberdog. The latter was sadly abandoned the following year, leaving the way clear for Apple to replace the bundled Netscape with Internet Exploder, as it quickly became nicknamed.
This is Microsoft Internet Explorer in 2001, providing the front end to Mac OS X Server through Webmin.
Cookie settings in Explorer were highly detailed in 2005.
Many of us abandoned Internet Explorer for alternatives such as Camino. That had originated within Netscape as Chimera in 2002, based on its Gecko layout engine, with a native Mac OS X front end. The following year it was rebranded as Camino, and amazingly lasted until 2012.
There were other competitors, such as Omni Group’s OmniWeb, which had been developed for NeXTSTEP since 1995, then moved to Mac OS X until 2012.
This is OmniWeb in 2007, showing the different browsers it could identify itself as, including a single version of Safari 1.0.
In January 2003, Apple launched the first beta-release of its own browser, Safari, and bundled it in Mac OS X 10.3 Panther when it was released that October. Since then Safari has been a regular fixture in successive versions of Mac OS X, OS X, and macOS. For several years, it was the only browser on iOS and iPadOS.
This is Safari 1 showing the front page for Apple’s developer site in 2004, complete with the offer to download Xcode version 1.5 with dead code stripping as a new feature. That year, Mozilla Firefox was released as an alternative, and has continued to support Macs ever since.
Mac OS X 10.4 Tiger came with Safari as the only bundled browser when it was released in April 2005, although it took Safari 2.0.4 in early 2006 before it was stable.
Page loading was slow in 2005, when Apple’s front page took a total of over 16 seconds to load fully, but that only used 6.8 MB of memory. By contrast, today Apple’s front page only takes a couple of seconds but requires over 200 MB.
There were times when the only way ahead with these early versions of Safari was to completely reset it, emptying its cache, and even removing all passwords and AutoFill text. This is Safari 2 in 2006.
Prominent among the plugins in 2006 was the dreaded Shockwave Flash, which had only recently been taken over by Adobe when it acquired Macromedia the previous year. Details of plugins are here being displayed on an internal web page within Safari 2.
Safari 3, bundled in Mac OS X 10.5 Leopard in October 2007, brought the claim that it was then the fastest browser, but it was troubled by bugs and security problems at first.
Safari 3 had already grown extensive preferences, covering the use of plugins, Java, JavaScript and cookies, seen here in 2007.
Its successor, Safari 4, followed in the summer of 2009, ready for Mac OS X 10.6 Snow Leopard, with further performance improvements, particularly in its JavaScript engine.
By 2009, Safari 4 was able to warn the user if it was about to visit a site blacklisted by the Google Safe Browsing Service. At least when that service was available. That year also saw Preview and Beta releases of Google Chrome, now Safari’s most serious competitor on Apple’s hardware.
Safari 5 was released a year later, in 2010, and was bundled in Mac OS X 10.7 Lion in 2011. This brought Reader mode and opened the door to third-party extensions.
Safari’s hidden Debug menu provided a collection of tools for web developers, and more recently has become the even more extensive Develop menu.
By the release of macOS 10.12 Sierra in 2016, Safari had reached version 10.
By 2016, close control over Adobe Flash Player had become critical, as a result of its frequent exploits, although it remained highly popular with content developers before Adobe finally killed it at the end of 2020.
Since 2021, with the release of macOS 12 Monterey, Safari 15 and its successors have been able to perform on-the-fly translation, as demonstrated here.
Safari is now the bundled browser in macOS, iOS, iPadOS and visionOS, and this year is set to leap in version number from 18 to 26 with the arrival of Tahoe and its sister OSes. It has been a long and sometimes troubled journey over those 22 years, and despite strong competition from Google Chrome and Chromium-based browsers, it remains the browser of first choice for a great many using Apple’s hardware products. I hope my screenshots have brought back more happy memories than traumatic moments.
Apple has just released an update to XProtect for all supported versions of macOS, bringing it to version 5302. As usual, Apple doesn’t release information about what security issues this update might add or change.
This version adds a new rule for MACOS_SOMA_FA_LE, again extending coverage of the Amos/Soma family of malware.
You can check whether this update has been installed by opening System Information via About This Mac, and selecting the Installations item under Software.
A full listing of security data file versions is given by SilentKnight and SystHist for El Capitan to Tahoe available from their product page. If your Mac hasn’t yet installed this update, you can force it using SilentKnight or at the command line.
If you want to install this as a named update in SilentKnight, its label is XProtectPlistConfigData_10_15-5302
Sequoia systems only
This update has already been released for Sequoia via iCloud. If you want to check it manually, use the Terminal command sudo xprotect check
then enter your admin password. If that returns version 5302 but your Mac still reports an older version is installed, you may be able to force the update using sudo xprotect update
I hope that you enjoyed Saturday’s Mac Riddles, episode 313. Here are my solutions to them.
1: Light and lenses control a car inside Macs until 2013.
Click for a solution
Optical drive
Light and lenses (optical) control a car (to drive) inside Macs until 2013 (they were fitted internally in Macs until 2013 models, with the last being in the MacBook Pro 13-inch mid-2012 that wasn’t discontinued until 2016).
2: Splendid campaign originally for airs until last August.
Click for a solution
SuperDrive
Splendid (super) campaign (drive) originally for airs (this external optical drive was first intended for MacBook Airs) until last August (they were discontinued in August 2024).
3: Cupertino’s Roman 400 in South Carolina was the first in 1988.
Click for a solution
AppleCD SC
Cupertino’s (Apple) Roman 400 (in Roman numerals, CD) in South Carolina (abbreviated to SC) was the first in 1988 (it was Apple’s first tray-loading CD-ROM reader, available between 1988-91).
The common factor
Click for a solution
They’re all optical drives that have been sold by Apple.
Login
