Monday, June 5, 2023

Apple provides grated cheese with the wine

Today Apple asked, would you like cheese with your wine?

It's nice that the stench of Intel has finally drifted off Apple's product line, leaving us once again with a RISC cheese grater atop the heap. Still, though (seriously now), no discrete GPUs for those six PCIe slots? Does this mean you're stuck with the MKULTRA M2 Ultra's? That's like throwing a party where you have to wear headphones to hear the music. But at least if you were using it for virtualized x86_64 workloads, Rosetta 2's got you covered, and no one's gonna pull an IBM QuickTransit this time — suggesting x86_64 binaries will have a far longer shelf life on Apple silicon than PowerPC binaries ever did on Intel. At $7000 for the base model, though, I think I'll stick to my Raptor Talos II.

Apple also proved themselves able and willing to compete in drinking games with macOS Sonoma (but fine vintages, mind you), so start your photocopiers. Quick, drink if you thought Apple would basically bring back the Dashboard, which is the first thing I disable when installing Tiger from scratch. If you're Mozilla, drink if you thought Apple would rip off Firefox containers in Safari. And, well, I should have a drink too, because now Power Mac upgraders will get a built-in TenFourFoxBox for desktop web apps. We didn't get macOS Arvin, macOS Edison (now with more power saving features!) or macOS Chico, but don't worry: it will still cost Peanuts.

Don't get me started on that goggles thing.

Thursday, April 20, 2023

April patch set for TenFourFox

As promised, there are new changesets to pick up in the TenFourFox tree. (If you're new to rolling your own TenFourFox build, these instructions still generally apply.) I've tried to limit their scope so that people with a partial build can just pull the changes (git pull) and gmake -f client.mk build without having to "clobber" the tree (completely erase and start over). You'll have to do that for the new ESR when that comes out in a couple months, but I'll spare you that today. Most of these patches are security-related, including one that prevents naughty cookies which would affect us as well, though the rest are mostly crash-preventers and would require PowerPC-specific attacks to be exploitable. There is also an update to the ATSUI font blacklist. As always, if you find problematic fonts that need to be suppressed, post them to issue 566 or in the comments, but read this first.

However, there is one feature update in this patchset: a CSS grid whitelist. Firefox 45, which is the heavily patched underpinning of TenFourFox FPR, has a partially working implementation of CSS grid as explained in this MDN article. CSS grid layout is a more flexible and more generalized way of putting elements on a page than the earlier tables method. Go ahead and try to read that article with the current build before you pull the changes and you'll notice that the page has weirdly scrunched up elements (before a script runs and blanks the whole page with an error). After you build with the updates, you'll notice that while the page still doesn't lay out perfectly right, you can now actually read things. That's because there's a whitelist entry now in TenFourFox that allows grid automatically on developer.mozilla.org (a new layout.css.grid.host.developer.mozilla.org preference defaults to true which is checked for by new code in the CSS parser, and there is also an entry in the problematic scripts filter to block the script that ends up blanking the page when it bugs out). The other issues on that page are unrelated to CSS grid.

This will change things for people who set the global pref layout.css.grid.enabled to true, which we have never shipped in TenFourFox because of (at times significant) bugs in the implementation. This pref is now true, but unless the URL hostname is in the whitelist, CSS grid will still be disabled dynamically and is never enabled for chrome resources. If you set the global pref to false, however, then CSS grid is disabled everywhere. If you were using this for a particular site that lays out better with grid on, post the URL to issue 659 or in the comments and I'll consider adding it to the default set (or add it yourself in about:config).

The next ESR (Firefox 115) comes out end of June-early July, and we'll do the usual root updates then.

Tuesday, April 18, 2023

Power Mac ransomware? Yes, but it's complicated

Wired ran an article today (via Ars Technica) about apparent macOS-compatible builds of LockBit, a prominent encrypting ransomware suite, such as this one for Apple silicon. There have been other experimental ransomware samples that have previously surfaced but this may be the first known example of a prominent operation specifically targeting Macs, and it is almost certainly not the last.

What caught my eye in the article was a report of PowerPC builds. I can't seem to get an alleged sample to analyse (feel free to contact me at ckaiser at floodgap dawt com if you can provide one) but the source for that assertion appears to be this tweet.

Can that file run on a Power Mac? It appears it's indeed a PowerPC binary, but the executable format is ELF and not Mach-O, so the file can only run natively on Linux or another ELF-based operating system, not PowerPC Mac OS X (or, for that matter, Mac OS 9 and earlier). Even if the raw machine code were sprayed into memory for an exploitable Mac application to be tricked into running, ELF implies System V ABI, which is similar but different from the PowerOpen ABI used for PowerPC-compatible versions of Mac OS, and we haven't even started talking about system calls. Rather than a specific build targetting Power Macs, most likely this is evidence that the LockBit builders simply ran every crosscompiler variation they could find on their source code: there are no natively little-endian 32-bit PowerPC CPUs, for example, yet there's a ppcle build visible in the screenshot. Heck, there's even an s390x build. Parents, don't let your mainframes out unsupervised.

This is probably a good time to mention that I've been working on security patches for TenFourFox and a couple minor feature adjustments, so stay tuned. It's been awhile but such are hobbies.

Sunday, September 18, 2022

September patch set for TenFourFox

102 is now the next Firefox Extended Support Release, so it's time for spring cleaning — if you're a resident of the Southern Hemisphere — in the TenFourFox repository. Besides refreshing the maintenance scripts to pull certificate, timezone and HSTS updates from this new source, I also implemented all the relevant security and stability patches from the last gasp of 91ESR (none likely to be exploitable on Power Macs without a direct attack, but many likely to crash them), added an Fx102 user agent choice to the TenFourFox preference pane, updated the ATSUI font blacklist (thanks to Chris T for the report) and updated zlib to 1.2.12, picking up multiple bug fixes and some modest performance improvements. This touches a lot of low-level stuff so updating will require a complete rebuild from scratch (instructions). Sorry about that, it's necessary!

If you're new to building your own copy of TenFourFox, this article from last year is still current with the process and what's out there for alternatives and assistance.

Wednesday, July 6, 2022

Network Solutions screws the pooch again

Floodgap appears to be down because Network Solutions' name servers are timing out and name queries are not reliably resolving (everything's up on this end). There is no ETA. If this continues for much longer I'll figure out an alternative, but between this and the social engineering hack last year, maybe this is a sign I need to move it to a different registrar even though I prepaid a few years ago.

Monday, June 6, 2022

macOS Oxnard

Those of us in southern California are shaking our heads. I like the City of (San Buena)Ventura fine, but Ventura isn't exactly in the same snobbish class as, you know, Big Sur or Monterey. I mean, if they really wanted they could have had macOS Camarillo, or macOS Thousand Oaks, or maybe even macOS Calabasas even though that sounds those gourd urns you buy at Pier 1 or a euphemism for unmentionable body parts, but anyway. (macOS Malibu! Buy all her friends!) There was a lot of buzz over the possibility this could have been macOS Mammoth, and even Wikipedia went all-in. I can see why they didn't because the jokes would have flown thick and heavy if it turns out as big and ponderous as the name, but when you give up the chance at Point Mugu or Oxnard (or La Conchita: the operating system that collapses on itself!) for a pretty if less ostentatious coastal community, someone at Apple just isn't thinking big. Or, for that matter, mammoth.

Saturday, April 30, 2022

April patch set for TenFourFox

I've had my hands full with the POWER9 64-bit JIT (a descendant of TenFourFox's 32-bit JIT), but I had a better idea about the lazy image loader workaround in February's drop and got the rest of the maintenance patches down at the same time. These patches include the standard security fixes and updates to timezones, pinned certificates and HSTS, as well as another entry for the ATSUI font blacklist. In addition, a bug in the POWER9 JIT turns out to affect TenFourFox as well (going back to at least TenFourFox 38), which I ported a fix for. It should correct some residual issues with IonPower-NVLE on a few sites, though it may allow code to run that couldn't run before that may have its own issues, of course. A clobber is not required for this update. The commits are already hot and live on Github.

The next ESR, version 102, is due in June. I'll change the EV and certificate roots over around that time as usual, but we might also take the opportunity to pull up some of the vendored libraries like zlib, so it might be a somewhat bigger update than it would ordinarily be.