itwbennett writes: In September, more than 4,000 applications were found to have been modified with a counterfeit version of Xcode, dubbed XcodeGhost. On Tuesday, FireEye said in a blog post that it has detected 210 enterprises that are still using infected apps, showing that the XcodeGhost malware 'is a persistent security risk.' In addition, whomever created XcodeGhost has also developed a new version that can target iOS 9, called XcodeGhost S, FireEye wrote.

Nerval's Lobster writes: When Apple rolled out Swift last summer, it expected its new programming language to eventually replace Objective-C, which developers have used for years to build iOS and Mac OS X apps. Thanks to Apple's huge developer ecosystem (and equally massive footprint in the world of consumer devices), Swift quickly became one of the most buzzed-about programming languages, as cited by sites such as Stack Overflow. And now, according to new data from TIOBE Software, which keeps a regularly updated index of popular programming languages, Swift might be seriously cannibalizing Objective-C. On TIOBE's latest index, Objective-C is ranked fourteenth among programming languages, a considerable drop from its third-place spot in October 2014. Swift managed to climb from nineteenth to fifteenth during the same period. "Soon after Apple announced to switch from Objective-C to Swift, Objective-C went into free fall," read TIOBE's text accompanying the data. "This month Objective-C dropped out of the TIOBE index top 10." How soon until Swift eclipses Objective-C entirely?

msm1267 writes: Mac OS X's Gatekeeper security service is supposed to protect Apple computers from executing code that's not signed by Apple or downloaded from its App Store. A researcher, however, has built an exploit that uses a signed binary to execute malicious code. Patrick Wardle, a longtime Apple hacker, said Gatekeeper performs only an initial check on an application to determine whether it came from an untrusted source and should not be executed. Using a signed binary that passes the initial check and then loads a malicious library or app from the same or relative directory, however, will get an advanced attacker onto an OS X machine. Wardle disclosed his research and proof of concept to Apple, which said it is working on a patch, and may push out a short-term mitigation in the meantime.

Trailrunner7 writes: There is a major vulnerability in a library in iOS and OS X that allows an attacker to overwrite arbitrary files on a target device and, when used in conjunction with other techniques, install a signed app that the device will trust without prompting the user with a warning dialog. Mark Dowd, the security researcher who discovered it, said he's been able to exploit the flaw over AirDrop, the feature in OS X and iOS that enables users to send files directly to other devices. If a user has AirDrop set to allow connections from anyone—not just her contacts—an attacker could exploit the vulnerability on a default locked iOS device. In fact, an attacker can exploit the vulnerability even if the victim doesn't agree to accept the file sent over AirDrop.

Mark Wilson writes: Two security researchers have discovered a serious vulnerability in OS X that could allow an attacker to steal passwords and other credentials in an almost invisible way. Antoine Vincent Jebara and Raja Rahbani — two of the team behind the myki identity management security software — found that a series of terminal commands can be used to extract a range of stored credentials. What is particularly worrying about the vulnerability is that it requires virtually no interaction from the victim; simulated mouse clicks can be used to click on hidden buttons to grant permission to access the keychain. Apple has been informed of the issue, but a fix is yet to be issued. The attack, known as brokenchain, is disturbingly easy to execute. Ars reports that this weakness has been exploited for four years.

There are a lot of open source operating systems out there; being open source, they lend themselves to forks, clones or near clones, and friendly offshoots. There are even services to let you customize, download, and (if you choose) bulk-install your own OS based on common components. Phoronix notes a new project called NeXTBSD that might turn more heads than most new open source OSes, in part because of the developers behind it, and in part because of the positive thoughts many people have toward the aesthetics of NeXTSTEP and Mac OS X. (And while it might be a fork of FreeBSD, the developers would rather call it a spork, instead.) NeXTBSD was announced last week by Jordan Hubbard and Kip Macy at the Bay Area FreeBSD Users Group (BAFUG). NeXTBSD / FreeBSD X is based on the FreeBSD-CURRENT kernel while adding in Mach IPC, Libdispatch, notifyd, asld, launchd, and other components derived from Apple's open-source code for OS X. The basic launchd/notifyd/asld/libdispatch stack atop their "fork" of FreeBSD is working along with other basic components of their new design. You can watch a recording of the announcement as well as a longer introduction linked from Phoronix's story.

An anonymous reader writes: A new flaw has been discovered in the latest version of OS X which allows hackers to install malware and adware onto a Mac without the need for any system passwords, researchers say. The serious zero-day vulnerability was first identified last week and results from a modified error-logging feature in OS X Yosemite which hackers are able to exploit to create files with root privileges. The flaw is currently found in the 'fully patched' OS X 10.10.4, but is not in the newest 10.11 El Capitan beta – suggesting that Apple developers were aware of the issue and are testing a fix.

vivaoporto writes: The Register reports a root-level privilege-escalation exploit that allows one to gain administrator-level privileges on an OS X Yosemite Mac using code so small that fits in a tweet. The security bug, documented by iOS and OS X guru Stefan Esserwhich, can be exploited by malware and attackers to gain total control of the computer. This flaw is present in the latest version of Yosemite, OS X 10.10.4, and the beta, version 10.10.5 but is already fixed in the preview beta of El Capitan (OS X 10.11) Speaking of exploits: Reader trailrunner 7 notes that "HP’s Zero Day Initiative has released four new zero days in Internet Explorer that can lead to remote code execution."

eggboard writes: If you've ever turned on what's now called "two-step verification" for an Apple ID, you had to create a Recovery Key. Lose this 14-digit code and have your password reset (because of hacking attempts against you), and you might lose access forever to purchases and data, as Owen Williams almost did. Apple confirmed today that starting with its public betas of OS X 10.11 and iOS 9, two-factor authentication won't have a Recovery Key. Instead, if you have to reset a password or lose access to devices, you'll have to go through an account verification process with human beings.

An anonymous reader notes a report from El Reg on a major cross-app resource vulnerability in iOS and Mac OS X. Researchers say it's possible to break app sandboxes, bypass App Store security checks, and crack the Apple keychain. The researchers wrote, "specifically, we found that the inter-app interaction services, including the keychain and WebSocket on OS X and URL Scheme on OS X and iOS, can all be exploited by [malware] to steal such confidential information as the passwords for iCloud, email and bank, and the secret token of Evernote. Further, the design of the App sandbox on OS X was found to be vulnerable, exposing an app’s private directory to the sandboxed malware that hijacks its Apple Bundle ID. As a result, sensitive user data, like the notes and user contacts under Evernote and photos under WeChat, have all been disclosed. Fundamentally, these problems are caused by the lack of app-to-app and app-to-OS authentications." Their full academic paper (PDF) is available online, as are a series of video demos. They withheld publication for six months at Apple's request, but haven't heard anything further about a fix.

Here's an overview of the main announcements and new products unveiled at WWDC today.

• The latest OS X will be named OS X El Capitan. Features include: Natural language searches and auto-arrange windows. You can make the cursor bigger by shaking the mouse and pin sites in Safari now. 1.4x faster than Yosemite. Available to developers today, public beta in July, out for free in the fall.
• Metal, the graphics API is coming to Mac. "Metal combines the compute power of OpenCL and the graphics power of OpenGL in a high-performance API that does both." Up to 40% greater rendering efficiency.
• iOS 9: New Siri UI. There’s an API for search. Siri and Spotlight are getting more integrated. Siri getting better at prediction with a far lower word error rate. You can make checklists, draw and sketch inside of Notes. Maps gets some love. New app called News "We think this offers the best mobile reading experience ever." Like Flipboard it pulls in news articles from your favorite sites. HomeKit now supports window shades, motion sensors, security systems, and remote access via iCloud. Public Beta for iOS 9.
• Apple Pay: All four major credit card companies and over 1 million locations supporting Apple Pay as of next month. Apple Pay reader developed by Square, for peer-to-peer transactions. Apple Pay coming to the UK next month support in 250,000 locations including the London transportation system. Passbook is being renamed "Wallet."
• iPad: Shortcuts for app-switching, split-screen multitasking and QuickType. Put two fingers down on the keyboard and it becomes a trackpad. Side by side apps. Picture in picture available on iPad Air and up, Mini 2 and up.
• CarPlay: Now works wirelessly and supports apps by the automaker.
• Swift 2,the latest version of Apple’s programing language . Swift will be open source.
• The App Store: Over 100 billion app downloads, and $30 billion paid to developers.
• Apple Watch: watchOS 2 with new watch faces. Developers can build their own "complications" (widgets with a terrible name that show updates and gauges on the watch face). A new feature called Time Travel lets you rotate the digital crown to zoom into the future and see what’s coming up. More new features: reply to email, bedside alarm clock, send scribbled messages in multiple colors. You can now play video on the watch. Developer beta of watchOS 2 available today, wide release in the fall for free.
• Apple Music: “The next chapter in music. It will change the way you experience music forever,” says Cook. Live DJs broadcasting and hosting live radio streams you can listen to in 150 countries. Handpicked suggestions. 24/7 live global radio. Beats Connect lets unsigned artists connect with fans. Beats Music has all of iTunes’ music, to buy or stream. With curated recommendations. Launching June 30th in 100 countries with Android this fall, with Windows and Android versions. First three months free, $9.99 a month or $14.99 a month for family plan for up to six.

An anonymous reader writes: As Microsoft prepares for the launch of Windows 10, review sites have been performing all sorts of benchmarks on the tech preview to evaluate how well the operating system will run. But now a computer science student named Alex King has made the most logical performance evaluation of all: testing Windows 10's performance on a 2015 MacBook. He says, "Here's the real kicker: it's fast. It's smooth. It renders at 60FPS unless you have a lot going on. It's unequivocally better than performance on OS X, further leading me to believe that Apple really needs to overhaul how animations are done. Even when I turn Transparency off in OS X, Mission Control isn't completely smooth. Here, even after some Aero Glass transparency has been added in, everything is smooth. It's remarkable, and it makes me believe in the 12-inch MacBook more than ever before. So maybe it's ironic that in some regards, the new MacBook runs Windows 10 (a prerelease version, at that) better than it runs OS X."

ClockEndGooner writes: Microsoft is still extending its efforts into cross platform development with the release of a preview edition of Visual Studio Code, "a lightweight cross-platform code editor for writing modern web and cloud applications that will run on OS X, Linux and Windows." Derived from its Monaco editor for Visual Studio Online, the initial release includes rich code assistance and navigation for JavaScript, TypeScript, Node.js, ASP.NET 5, C# and many others.

Trailrunner7 writes: For years, Apple has enjoyed a pretty good reputation among users for the security of its products. That halo has been enhanced by the addition of new security features such as Gatekeeper and XProtect to OS X recently, but one researcher said that all of those protections are simple to bypass and gaining persistence on a Mac as an attacker isn't much of a challenge at all. Gatekeeper is one of the key technologies that Apple uses to prevent malware from running on OS X machines. It gives users the ability to restrict which applications can run on their machines by choosing to only allow apps from the Mac App Store. With that setting in play, only signed, legitimate apps should be able to run on the machine. But Patrick Wardle, director of research at Synack, said that getting around that restriction is trivial. "Gatekeeper doesn't verify an extra content in the apps. So if I can find an Apple-approved app and get it to load external content, when the user runs it, it will bypass Gatekeeper," Wardle said in a talk at the RSA Conference here Thursday. "It only verifies the app bundle. If Macs were totally secure, I wouldn't be here talking," Wardle said. "It's trivial for any attacker to bypass the security tools on Macs."

Trailrunner7 writes When it was revealed late last month that a Chinese certificate authority had allowed an intermediate CA to issue unauthorized certificates for some Google domains, both Google and Mozilla reacted quickly and dropped trust in CNNIC altogether. Apple on Wednesday released major security upgrades for both of its operating systems, and the root certificate for CNNIC, the Chinese CA at the heart of the controversy, remains in the trusted stores for iOS and OS X. The company has not made any public statements on the incident or the continued inclusion of CNNIC's certificates in the trusted stores.

For anyone using Windows 7 by way of Apple's Boot Camp utility, beware: support for Windows via Boot Camp remains, but for the newest Apple laptops, it's only for Windows 8 for now. From Slashgear: This applies to the 2015 MacBook Air, and the 13-inch model of the 2015 MacBook Pro. Windows 8 will remain compatible, as will the forthcoming Windows 10. The 2013 Mac Pro also dropped Boot Camp support for Windows 7, while 2014 iMacs are still compatible, along with 2014 MacBook Airs and 2014 MacBook Pros. For those who still prefer to run Windows 7 on their Macs, there are other options. This change to Boot Camp will not affect using the Microsoft operating system through virtualization software, such as Parallels and VMware Fusion. Also at PC Mag.

abhishekmdb writes No browsers are safe, as proved yesterday at Pwn2Own, but crashing one of them with just one line of special code is slightly different. A developer has discovered a hack in Google Chrome which can crash the Chrome tab on a Mac PC. The code is a 13-character special string which appears to be written in Assyrian script. Matt C has reported the bug to Google, who have marked the report as duplicate. This means that Google are aware of the problem and are reportedly working on it.

Nerval's Lobster writes Developers assume that Swift, Apple's newish programming language for iOS and Mac OS X apps, will become extremely popular over the next few years. According to new data from RedMonk, a tech-industry analyst firm, Swift could reach that apex of popularity sooner rather than later. While the usual stalwarts—including JavaScript, Java, PHP, Python, C#, C++, and Ruby—top RedMonk's list of the most-used languages, Swift has, well, swiftly ascended 46 spots in the six months since the firm's last update, from 68th to 22nd. RedMonk pulls data from GitHub and Stack Overflow to create its rankings, due to those sites' respective sizes and the public nature of their data. While its top-ranked languages don't trade positions much between reports, there's a fair amount of churn at the lower end of the rankings. Among those "smaller" languages, R has enjoyed stable popularity over the past six months, Rust and Julia continue to climb, and Go has exploded upwards—although CoffeeScript, often cited as a language to watch, has seen its support crumble a bit.

itwbennett writes: Although Apple has never officially acknowledged issues surrounding Yosemite and Wi-Fi connectivity, the company is clearly aware of the problem: Leading off the improvements offered in the update 10.10.2 update released Tuesday was 'resolves an issue that might cause Wi-Fi to disconnect,' according to the release notes. Despite this, Apple's support forum was filled with tales of frustrated users. And Mac owners aren't the only Apple users experiencing wireless connection failures after updating their OS. Wi-Fi connectivity issues have also dogged iOS 8 since Apple released the mobile OS on Sept. 17.

jones_supa writes Apple has always had attractive and stylish hardware, but there are always some customers opting to run Linux instead of OS X on their Macs. But why? One might think that a polished commercial desktop offering designed for that specific lineup of computers might have less rough edges than a free open source one. Actually there's plenty of motivations to choose otherwise. A redditor asked about this trend and got some very interesting answers. What are your reasons?