Apple neglects to patch multiple critical vulnerabilities in macOS

[JBob555]

Apple neglects to patch multiple critical vulnerabilities in macOS - The Mac Security Blog

Apple neglects to patch multiple critical vulnerabilities in macOS - The Mac Security Blog

Apple is neglecting to patch high-severity vulnerabilities in open-source components of macOS Sonoma, including LibreSSL.

www.intego.com

As much money as Apple makes you'd think they would get off their asses and keep mac os secure!!!

 

[Raz0rEdge]

These issues do not make macOS insecure. This issue primarily affects the use of Curl which is a command line tool and you have to willingly open up a URL to a site that is bad. Which you aren't going to do.

Be sure to learn about what you are reading before making statements like these..

 

[IWT]

Be sure to learn about what you are reading before making statements like these..

Hear! Hear!

Ian

 

[Randy B. Singer]

Apple neglects to patch multiple critical vulnerabilities in macOS - The Mac Security Blog
...

As much money as Apple makes you'd think they would get off their asses and keep mac os secure!!!

The press likes to generate clicks by scaring people with reports of "potential vulnerabilities." "Security experts" especially like to do this, because they are trained to see security threats around every corner.

Articles about a “potential vulnerability” are of no concern whatsoever to end users until and unless someone creates a viable “exploit” to take advantage of it. The fact that a potential vulnerability exists does not at all mean that someone will create a viable exploit. The vulnerability may be too hard to create an exploit for, it may be too expensive to create an exploit for (complex exploits may take months, and millions of dollars, to create), it may be too hard to effectively utilize an exploit for this vulnerability (most security threats these days a used to make money) even if one were to be created, it my take too long to create an exploit for this potential vulnerability before it is likely to be patched, or obsoleted.

Every single computer that exists has a a huge number of potential vulnerabilities. The developers of those computers maintain a literal list of those vulnerabilities for each computer. The potential vulnerabilities on that list are arranged from most likely to be exploited (and likely virulence) to least. Then the developer goes down the list and addresses things in order of priority. If Apple deems a particular potential vulnerability to be a big deal, it will be addressed, as quickly as they determine is necessary. They may even simply ignore a particular vulnerability, after surmising that the potential vulnerability isn’t likely to ever be exploited.

In short, talk of any potential vulnerabilities in the Mac OS is nothing more than academic to an end user, and no end user should be concerning themselves with it. Until and unless someone creates a viable exploit for it, there is nothing to worry about.

 

[JBob555]

These issues do not make macOS insecure. This issue primarily affects the use of Curl which is a command line tool and you have to willingly open up a URL to a site that is bad. Which you aren't going to do.

Be sure to learn about what you are reading before making statements like these..

Apple should be fixing any and all vulnerabilities if they are aware of them. If you want to make excuses for them, that's up to you. I stand by what I said!

 

[IWT]

I stand by what I said!

I'm sorry to hear that; but we respect all opinions here.

The members above have tried to allay your fears and have, in a respectful way, replied to your concerns. It's difficult to know what else we can do.

Ian

 

[JBob555]

I'm sorry to hear that; but we respect all opinions here.

The members above have tried to allay your fears and have, in a respectful way, replied to your concerns. It's difficult to know what else we can do.

Ian

First of all I don't have a fear of computer vulnerabilities, I just think Apple should do their job. They certainly can afford it and they certainly have enough people working for them. Secondly, I'm not asking you to DO ANYTHING. I just think more people should be aware that Apple is letting vulnerabilities slide until they get around to fixing them. Maybe instead of the working on these questionable updates they come out with, they should concentrate on making their products more reliable and bulletproof.

 

[Slydude]

I can see the basis for the approach that you're proposing. I can almost guarantee you that if they take this approach there will be an equal number of people suggesting that Apple is being bypassed by Android or whatever the flavor of the day happens to be.

After decades of, using various Apple products and OS versions, DOS, Windows, and a few others the names of which I only vaguely remember, I think human exploits are the bigger danger to most. users. I'm, not downplaying the process of finding vulnerabilities, but I think most users are most likely to be affected by human exploits that trick users into giving away information.

 

[ferrarr]

Do you use curl? Do you know you can update curl yourself? Since curl released newer versions that fixed those vulnerabilities, I don't see why you want Apple to patch the version they include with their OS.

 

[Randy B. Singer]

First of all I don't have a fear of computer vulnerabilities, I just think Apple should do their job. They certainly can afford it and they certainly have enough people working for them. ... I just think more people should be aware that Apple is letting vulnerabilities slide until they get around to fixing them.

You clearly don't understand how incredibly complex a computer operating system is. Apple could conceivably patch all potential vulnerabilities in any particular version of the Mac OS. But that would likely take YEARS, and hundreds of millions of dollars. (As I said, any and every given OS has a long list of potential vulnerabilities, not just a few. This would require a ton of programming that would have to be re-written, tested, etc. That programming can't be done overnight, and programmers don't work for free.)

Logistically speaking, that would mean that Apple would probably have to curtail their advancement of the Mac OS. (Because as soon as you offer a new upgraded OS, the list of potential vulnerabilities would become long again.) That would mean that other platforms would whiz right by in how much more advanced they were, and leave Apple in the dust.

And for what? Spending the time and money to patch all potential vulnerabilities probably wouldn't make the OS more secure for end users. As I outlined previously, Apple, like any and all other OS developers, triages potential vulnerabilities and works to patch them as necessary to make sure that none of them ever make it to being viable exploits. It is only the exploits that effect end users. If Apple wasted all of its resources patching all potential vulnerabilities, they would be wasting a huge amount of time and money without preventing possibly even a single exploit from appearing in the wild.

It's sort of like insisting that internal combustion engine car manufacturers engineer their cars so that they were so reliable that they never required routine maintenance, and never wore out or required repairs. The car manufacturers COULD do that! But the resulting cars would be wildly expensive, huge and hugely overweight, they would perform very poorly because of all the added heft they would have to drag around. These cars would also be obscenely expensive because of all that would have to go into them to make them so reliable (expensive materials that never wore out, over-engineered components, etc.). No one would purchase such a car. Designing such a car would be a disaster for any car manufacturer. Just as it would be a disaster for Apple to chase down all potential vulnerabilities and patch them.

 

[JBob555]

What about the memory leak in Finder. The update that came out today just adds a few features which I could care less about. Fix the **** outstanding issues and stop making excuses.

 

[Randy B. Singer]

What about the memory leak in Finder. The update that came out today just adds a few features which I could care less about. Fix the **** outstanding issues and stop making excuses.

I've heard anecdotally that there was a "memory leak in the Finder", but I haven't seen or heard anything concrete about there being one from any authoritative sources, nor have I seen any evidence of one first hand. No one here on this discussion forum of over a quarter million users is complaining of having problems due to a memory leak in the Finder. I have my doubts that there is actually such a leak that "needs to be fixed."

Over the past couple of decades there have often been random folks who have complained about memory leaks. It's almost always just been BS. Folks don't really understand how a modern computer manages RAM. In the Macintosh it is actually quite advanced:

Memory Compression on the Mac Can Improve Performance

OS X 10.9 Mavericks: The Ars Technica Review

The bottom line is that I think that Apple knows what they are doing, and that they are doing all the things that need to be done as best as they can. I've even seen some behind-the-scenes examples of Apple really going above and beyond the call.

If you don't trust Apple, I recommend that you switch to some other computing platform. You really should have a computer that you feel that the company behind it really supports it. Since you have a choice of computer platforms, there is no reason for you to stick with Apple and be constantly complaining. Please let us know how much happier you are with your new choice. I'm sure that your new choice will be perennially bug free, have no malware, and provide the perfect computing experience.

 

[Jimmysb]

I'm sure that your new choice will be perennially bug free, have no malware, and provide the perfect computing experience.

The laugh is for the last line ‍

 

[MacInWin]

I've heard anecdotally that there was a "memory leak in the Finder", but I haven't seen or heard anything concrete about there being one from any authoritative sources, nor have I seen any evidence of one first hand. No one here on this discussion forum of over a quarter million users is complaining of having problems due to a memory leak in the Finder. I have my doubts that there is actually such a leak that "needs to be fixed."

It is real and it is fairly easy to demonstrate. Open Activity Monitor and select the Memory tab, then find in the list "Finder" and click it once to highlight it just so it's easy to find. Note the memory consumed.

Now open Finder and navigate to a folder, preferably one with lots of image file (jpeg, whatver). Now change the View in Finder to Icons and use the slider to make the icons as large as possible. Note the memory used by Finder. Now scroll through that directory and in a few scrolls Finder will hugely increase memory consumed. Now shrink the images back to small, note that the memory is NOT released by Finder. Finally, select List and again, Finder won't release memory. The "fix" to get that memory back is to open Terminal and issue "killall Finder" to force a Finder reset, at which time the memory use will revert to a low number.

That's one leak, there is a second, but it's more subtle.

All that said, it's not really fatal, just an annoyance for those who use images a lot.

 

[Raz0rEdge]

I went through this process and Finder's memory usage grew, but after a bit of time, it also began to decrease as well. A memory leak, by definition, is when the memory usage goes continually with every action without ever reducing back to a manageable amount.

In this case, it looks like Finder is taking up memory to perform the action, but it might either not be freeing it immediately or doing so in a lazy way since cleaning up is an expensive process.

So technically, I wouldn't classify this as a memory leak.

 

[MacInWin]

OK, I know I have little credibility here, so, here, read it for yourself. It started in Monterey:

Monterey’s memory leak and how to avoid it

How this memory leak probably occurs, which apps it affects, and what you can do to avoid it completely.

eclecticlight.co

More memory leaks in Monterey 12.0.1: how to avoid them

Is Monterey burning your memory away? Here are two reproducible memory leaks which could explain that, plus two more than might.

eclecticlight.co

Last Week on My Mac: There’s still a hole in my bucket, Monterey’s memory leak

We can expect Universal Control in macOS 12.3, but when will Apple get round to fixing the severe memory leak in the Finder’s Find feature?

eclecticlight.co

How to work around Monterey’s Finder memory leak

If you’re not careful, you can end up watching the Finder steadily eating your Mac’s memory until it grinds to a halt. The bug explained with solutions.

eclecticlight.co

Why Monterey’s Finder Find memory leak may not be fixed

Will Monterey 12.5 fix the memory leak in the Find feature in the Finder? That looks increasingly unlikely, and may influence your decision as to whether to upgrade.

eclecticlight.co

Finder memory leak in macOS Sonoma 14.1.1

Select groups of many JPEG images in Finder’s gallery view, and the Finder’s memory grows steadily until you’re forced to relaunch it.

eclecticlight.co

Another Finder memory leak in Sonoma

With one leak in the Finder’s Gallery view, it’s time for another, in Icon view. This is an old leak, that has affected older versions of macOS too, but still hasn’t been fixed.

eclecticlight.co

If you want more, I have them. But enter "Finder memory leak mac" into any search engine and you'll find the longer list from places like Apple.com, Techarp.com, macrumors.com, and reddit. In fact reddit has two threads on it, at least.

As for how it manifests, if an app works properly, it should release memory when no longer needed. At first launch, Finder on my system takes about 80MB. If I scroll through my pictures folder, as I described, it grows. The maximum I have seen myself is just about 1GB, although larger numbers have been reported. And when I change to a different Finder view, it does NOT go back down to the 80MB, although it may subside a bit. I waited over an hour in one test and it did not release the memory and go back to 80-90MB, but i did give back a little (5-10MB, as I recall, it was a while ago). I guess technically one could say that it's not a leak because it gave some back, but the bottom line is if you use Finder in icon mode with images, it takes memory and doesn't release it all. For me, that's a leak and a bug.

 

[Raz0rEdge]

Memory management/tracking/debugging is a very hard thing since apps are single function. So while you are indeed doing one action to trigger things, there are other things happening as well.

If an application performed one and one action only, then yes, any memory allocated to perform that function should reduce once it's freed and the function is not being performed.

Finder, on the other hand, is a key component of macOS that runs many many things.

Anyway, the nuances of memory management are too technical to get into here, but having spend a couple of decades dealing with it, it's a pain in the tuckus!

 

[MacInWin]

Memory management/tracking/debugging is a very hard thing since apps are single function. So while you are indeed doing one action to trigger things, there are other things happening as well.

If an application performed one and one action only, then yes, any memory allocated to perform that function should reduce once it's freed and the function is not being performed.

Finder, on the other hand, is a key component of macOS that runs many many things.

Anyway, the nuances of memory management are too technical to get into here, but having spend a couple of decades dealing with it, it's a pain in the tuckus!

I could accept it if Finder grew from 90MB to 1 GB and then came back down to 90-100MB, but it doesn't. It stays in the 1GB area, once it gets there. You have to force a restart to recover that 900 MB or more.

The thing is that finding memory leaks is not that difficult in today's development environment. There are tools that can do that for the programmer so that they don't have to sort through thousands of lines of code. The frustrating thing about this one is that they haven't fixed it since Monterey, and now they have added another leak, so there are now two. If Finder is a "key component" one would think Apple would pay more attention to it, eh?

 

[MacInWin]

For those who want more information:

I decided to do a quick test. Opened Finder, went to my pictures folder, chose icon view and changed the magnification to max and scrolled to the bottom of the images in the folder. In Activity Monotor, Finder went from 88MB to 1.71GB. Took a screenshot at max:



Changed Finder view to List, and Finder memory was unchanged:

Waited 15 minutes to see if Finder was just slow at releasing memory, but nothing much changed in that time. It did change from 1.71GB to 1.70GB:


Thought maybe having Finder still with a window open was holding it up, so I close all Finder windows:

Surprised it went back up to 1.71GB
Thought maybe it would release memory if a greater memory demand was put on the system, so I opened Affinity Photo 2 and opened a file to edit it. You can see Affinity shows up here, right below the unchanged Finder listing:

Close Affinity, opened Terminal, issued killall Finder and then opened Finder to the same pictures folder in List mode:

Back to under 75MB. Recovered 1.7GB+ of memory.

As I have said, it's not super-critical, but it's there. I don't use icon view for Finder because of the leak. And I might suggest that if you are having the same issue, don't use icon view until Apple fixes it.

The other memory leak is in the Search function. Basically, if you open Finder and start to type in the Search box, Finder initiates an immediate search on the first letter, then a new search on the two letters when you have typed in two, then a new search on the first three letters, etc. But it doesn't release the memory from any previous search as it starts a new one. In an attempt to be super-responsive to searches, instead of waiting for a carriage return to start searching, Finder starts as soon as it has a character and then again as each additional character is entered. And none of the memory is released when the search is underway, restarted, or completed.

Again, not fatal, just super annoying. I reboot every day just to clear Finder junk. And I keep an eye on it with a Activity Monitor window on my second display all the time. If Finder runs away, I do a quick killall to get the space back.

 

[Randy B. Singer]

....note that the memory is NOT released by Finder. Finally, select List and again, Finder won't release memory. The "fix" to get that memory back is to open Terminal and issue "killall Finder" to force a Finder reset, at which time the memory use will revert to a low number.

I don't consider that a leak. I'd consider it a leak if Finder never gave that memory back when something else needed to use it. If memory filled up, and then when there was a demand for memory, and the Mac gave an "out of memory" error and couldn't proceed, I'd consider that a leak.

SSD's do exactly as you describe too. You trash something on your drive, and the registers aren't instantly erased. They are only marked as "available." If you have TRIM enabled, when there is a quiet period TRIM will go and do garbage collection on those registers. If you don't have TRIM enabled, the data will stay put until you go to write something else, and then they will be erased.

The bottom line is that no one except for techie curmudgeons (maybe only one; Hoakley) are complaining. Users aren't being inconvenienced. In fact, most of the reviewers have been saying that Apple Silicon is supremely light on RAM use:

Opinion: Is the base MacBook Air M1/8GB powerful enough for you?
https://9to5mac.com/2020/11/18/opinion-is-the-base-macbook-air-m1-8gb-powerful-enough-for-you/

8GB vs 16GB M1 MacBook Pro - How much RAM do you NEED?!
https://www.youtube.com/watch?v=PP1_4wek4nI