About the security content of macOS Monterey 12.2

I think you prevent these "corrupt file corrupts important memory" bugs in two ways: 1) use a memory safe language 2) write fuzz tests just like you'd write unit tests.

1 is becoming extremely viable, infrastructure for 2 is starting to be included with modern programming languages and so will soon become the norm.

Which is exactly why we need to use safe languages. People can't even prevent vulnerabilities in the code they are scrutinizing, much less the other 90% they aren't.

(Beating a dead horse, I know, and not blaming the devs because this utility has been around forever, but regardless)

Since you pick on that example, yes I am unsurprised about an exploit in ColorSync. The bugs in ColorSync in combination with Photoshop are legend: for example, there was a "black crush" bug doing the rounds of photo blogs and forums which persisted for months. More recently, it was not possible to disable ColorSync when printing, which made it impossible to calibrate printers (that is, measure the printed result with a spectrophotometer in order to derive new ColorSync tables). And furthermore, I don't think it is actually the first colour profile exploit I've heard of, although I forget whether it was Apple's or someone else's.

However much of a team they have on ColorSync, it needs to be bigger. If they don't have code fixes to make, there's plenty of other things for them to get on with. I didn't think much of the API documentation, and multiple people who seemed credible to me claimed there wasn't enough detail for the kind of implementation Adobe and others need, as several calls have been deprecated. And, since Apple no longer offer their own competing product it would make sense to assist Adobe in getting it reliably right.

More than that, the calibration software for monitors is third party and, at least for the photo monitor I have... could be better. These monitors use onboard hardware LUTs instead of doing it in the GPU, so the software is hardware-specific. Fortunately, there are only a couple of brands who offer these high-end monitors, maybe 3 if you count LG, so there isn't all that much hardware to support. It's another case where the overall experience could be improved for a segment of Apple's customers if they put the effort in. There may even be money to be made.

ColorSync shouldn't have been an "old" component, if Apple had kept their eyes on what their users needed. Instead they went and changed Music again, which has apparently not pleased its users. It's a company whose management seems obsessed with a fairly narrow range of applications like home automation and instant messaging, the kinds of things shown in 1970s TV programs about the "future". If they widened their horizons more they would end up cycling through more of the many components of macOS more often, so things got timely refreshes.

Would it not be possible to detect these kind of errors using machine learning now? To go through the code base and find unsafe operations?

There must be enough security bug fixes out there on GitHub that certain classes of security error become easily detectable.

Big Sur is the latest supported version on some Retina MacBook Pros, so it's not such a bad idea for Apple to still provide updates for critical issues

Exploited even whilst attempting to report an exploit.

Poetry indeed.

I noticed it last week. I finally have the time today to upgrade my macbook pro 2015 to Monterey. Hoping things go smooth.

Does everything still work that used to work on Mojave? Any changes in bugginess?

I'm 99% sure it's the AMD graphics driver, yes. I did see someone link the "amd-osx.com" website, but it seems unlikely that Apple would be issuing security fixes for that.

Some shops call x86-64 “amd64” because AMD originated it. Not sure if Apple is one.

This was long requested from the security community, so hopefully they keep it up going forward! This would probably go a long way in terms of rebuilding their developer trust.

Is this new? I feel like I’ve been seeing these for a while.

I feel like this is a big deal.

Applications have to ask permissions for Desktop, Documents, Downloads, etc.

You're given this warning when you fire up the interpreter (at least in Monterey):

> WARNING: Python 2.7 is not recommended. This version is included in macOS for compatibility with legacy software. Future versions of macOS will not include Python 2.7. Instead, it is recommended that you transition to using 'python3' from within Terminal.

I'm impressed they ship with python.

2020 M1 air here and airpods pro are waking my machine as soon as it goes to sleep. Some general bluetooth bugginess around I think.

This issue was killing my battery, but I don't use bluetooth on this laptop at all, so going to Settings > Bluetooth and turning it off completely fixed the issue for me. Haven't seen a bluetoothd process in ~2 weeks now.

I don’t think they will fix it, isn’t it searching for and proxy ink for AirTags?

Hard to tell; the security updates for Big Sur and Catalina that came out today in tandem with this Monterrey release do not mention it.

Apple security updates: https://support.apple.com/en-us/HT201222

Seriously… half of these are memory management bugs

Thank god Apple uses swift for new code.