LittleBITS: Inadvertent Mail Deletion, TidBITS Security Vulnerability, and iOS Update Error 1100 | #macos | #macsecurity

In this week’s installment of LittleBITS, I point to a fascinating discussion in TidBITS Talk that could explain why messages sometimes go missing in Apple’s Mail on the Mac, share an email interaction with a Pakistani security researcher, and pass on a tip from a reader that supports my general distrust of USB hubs.

Beware Control-H in Mail

Over in TidBITS Talk, user Tall Trees has contributed another entry in the “I Didn’t Know That!” category. It turns out that in Apple’s Mail app on the Mac, pressing Control-H deletes a message, which could be surprising or even problematic. Jeffrey Jones suggested that the reason was probably related to the fact that Control-H generates the standard ASCII control character for Backspace, which generally maps to the key labeled Delete on modern keyboards. Although David C. pointed out that such ASCII control characters should work only in apps running in an ASCII-like terminal session, Apple’s developers must have explicitly decided to code that keyboard mapping for Mail as well.

It may have started back in Unix. Most people probably don’t know that Cocoa apps on the Mac have built-in support for keybindings from the Emacs text editor. Apple documents some of these, including Control-H, on its Mac Keyboard Shortcuts page. That means pressing Control-H deletes the character to the left of the insertion point when editing text, just like Backspace. So perhaps a Mail developer wanted to extend the delete shortcut they were accustomed to in Emacs beyond the Mail text-editing environment to managing messages. Or perhaps a Mail developer was a devotee of a Unix mail app that relied on Control-H to delete messages. Whatever the reason, inadvertent presses of Control-H could explain why messages disappear occasionally. Now you know.

Fixing a Security Vulnerability on Our WordPress Site

A few weeks ago, I received an email from a Pakistani security researcher named Mahad Ali, alerting me to a clickjacking vulnerability on our WordPress site that could theoretically have been exploited to capture usernames and passwords from users logging in. I initially thought the message might have been some sort of phishing attempt, but I was able to replicate Mahad’s proof of concept. While my developer wasn’t sure how common such attacks were, he too was able to confirm the vulnerability, and it was trivially easy for him to tweak our site to block such attacks.

The aspect of the exchange that I hadn’t previously experienced was that Mahad said in the original message that he was hoping for a bounty reward for responsibly disclosing the vulnerability. That felt awkward, but there was no implied threat, and when I replied that we had no budget for such bounties, he politely asked if I’d write a LinkedIn endorsement. I’m hesitant to do that based on a several-message conversation, especially given the extent to which I and others in the TidBITS world help those in need with no expectation of direct acknowledgment. That said, I can also imagine that being a self-employed tech guy just out of college in Pakistan might lend itself to some alternative ways of trying to get ahead in the tech world.

So in lieu of a LinkedIn endorsement, I’m mentioning him here in TidBITS. I hope that will be even more valuable to Mahad, in that anyone searching for his name will be more likely to run across this account of our interaction.

Avoid USB Hubs with iOS Updates

Here’s another potentially helpful tip from a TidBITS reader. Charles Reeves Jr wrote to tell me that he had problems updating his iPhone 8 to iOS 15.1 and then to iOS 15.2 using his Mac. Both times, the update stalled, throwing an unknown error 1100. Although Apple has a page listing iOS update and restore errors, 1100 isn’t among them (it may be numbered, but it’s apparently still unknown).

Charles poked around on the Internet and finally found a suggestion that the problem might be related to connecting the iPhone to the Mac via a USB hub, which he was doing. When he switched to a USB port on his external monitor, he was able to update to iOS 15.1. Even that didn’t work with iOS 15.2, but connecting it directly to his Mac with a different cable resolved the problem.

In fact, one of the categories of errors that Apple discusses suggests trying different USB cables, different USB ports, and a USB port on a different computer, so avoiding a USB hub (which the monitor is too) makes a lot of sense. Personally, I’ve never trusted USB hubs with important connections like backup drives, so Charles’s report offers another data point supporting my distrust. Now that I examine my rationale for directly updating all my iPhones and iPads using Settings > General > Software Update, the desire to remove potentially dodgy cables and USB ports from the equation plays a significant role.

Original Source link

Leave a Reply

Your email address will not be published. Required fields are marked *

eight + one =