jwzSep 26, 2023

From this thread:
https://infosec.exchange/@TomSellers/111126339492371432
I found that these apps installed on my Mac are still vulnerable to the WebP exploit:

Arduino IDE, Keybase, Slack, and AdGuard for Safari.

The first 3 I haven't launched in months, but... it certainly was A Choice that "AdGuard *FOR SAFARI*" contains an entire copy of "Chrome/100.0.4896.160" inside it.

Tom Sellers (@[email protected])

Roughly 2 weeks ago Google patched a critical vulnerability, CVE-2023-4863, that was being exploited in the wild. The broad impact of the root cause of the vuln and the fact that it will have a long tail of unpatched software has been poorly communicated. You can read more in @dangoodin 's [excellent article on Ars Technica](https://arstechnica.com/security/2023/09/incomplete-disclosures-by-apple-and-google-create-huge-blindspot-for-0-day-hunters/). As pointed out in the article above, Electron is based on Chromium and is impacted. Electron is bundled in a ton of apps that people might overlook. I threw together the following shell command to help macOS audit which versions of Electron apps are installed. ``` find /Applications -type f -name "*Electron Framework*" -exec \ sh -c "echo \"{}\" && strings \"{}\" | grep '^Chrome/[0-9.]* Electron/[0-9]' | head -n1 && echo " \; ``` When run, you should see something similar to the following: ``` /Applications/Visual Studio Code.app/Contents/Frameworks/Electron Framework.framework/Versions/A/Electron Framework Chrome/114.0.5735.289 Electron/25.8.1 /Applications/Slack.app/Contents/Frameworks/Electron Framework.framework/Versions/A/Electron Framework Chrome/116.0.5845.188 Electron/26.2.1 ``` #Security #Electron #CVE20234863 #CVE-2023-4863

Infosec Exchange
Show threadjwz
So what ad blocker should I be using with Safari instead of AdGuard? Is Adblock Plus the only other game in town? They seem to be beg-ware now who have been co-opted into claiming that there is such a thing as an "acceptable ad".
Sep 26, 2023 at 6:17pmWeb
Show threadJohn SiracusaSep 26, 2023
@jwz I use https://1blocker.com and it seems pretty OK.
1Blocker - The Most Beautiful & Powerful Safari Ad Blocker for iPhone, iPad and Mac

1Blocker lets you block ads, trackers, and other unwanted web content. It's easy to use and doesn’t slow down Safari. 1Blocker comes with over 120,000 built-in blocker rules. It is very configurable and all your settings are synced over iCloud.

Show threadStephen FoskettSep 26, 2023
@siracusa @jwz here’s my vote for 1Blocker as well. Works on mobile and Mac.
Show threadMichael StancliftSep 26, 2023
@sfoskett @siracusa @jwz I like Wipr, personally. It’s lacks all the customization of 1Blocker but its been mostly set it and forget it.
Show threadSavičsSep 26, 2023

@jwz I haven't used safari in a while now, but I remember 1Blocker and Wipr being pretty good.

I remember 1Blocker having individual toggleable lists etc, but Wipr just being on/off... but Wipr is a one time fee while 1Blocker I think had some pro features behind a subscription (again, haven't used safari in a while, so might be old/wrong, check for yourself)

Show threadhagenSep 26, 2023
@jwz 1blocker!
Show threadSteven BlackSep 26, 2023

@jwz one option is to proactively block in a more foundational layer in your stack.

Example: my hosts files have nearly 23k stars, a decade-long track record, and is used by all those blockers.

https://github.com/StevenBlack/hosts

GitHub - StevenBlack/hosts: 🔒 Consolidating and extending hosts files from several well-curated sources. Optionally pick extensions for porn, social media, and other categories.

🔒 Consolidating and extending hosts files from several well-curated sources. Optionally pick extensions for porn, social media, and other categories. - StevenBlack/hosts

GitHub
Show threadjwzSep 26, 2023
@steveblack No fucking way
Show threadSteven BlackSep 26, 2023

@jwz Way!

Unless I misunderstood… if so, care to elaborate?

Show threadjwzSep 26, 2023
@steveblack That is the "just recompile your kernel" approach to ad blocking. Have fun with that. 100% not interested.
Show threadSteven BlackSep 26, 2023

@jwz lol whatever you say.

I must say, though, this is Mos Def the first time I've ever heard a stated equivalency between

* "copying a plaintext file to a location used by 100% of online devices, including IOT devices, since the dawn of the internet"

...and...

* "recompiling your kernel" (your words)

Show threadjwzSep 26, 2023
@steveblack \/\/
Show threadRobert AtkinsSep 26, 2023
@jwz I use 1Blocker and PiHole, works pretty well for me (obvs PiHole only works when I’m at home on my own network.)
Show threadwkrickSep 26, 2023
@jwz My first thought was uBlock Origin but it appears to only be available for Safari releases prior to 13.
Show threadGötz HoffartSep 26, 2023
@jwz Magic Lasso works fine here.
Show threadSteinar BangSep 26, 2023
@jwz I quite like uBlock origin myself, but it doesn't work for Safari later than version 13, and a quick google search says that current safari 16.5, so I guess that is a no-go? https://ublockorigin.com
(don't have a mac right now and when I did I used vivaldi, firefox and chrome, rather than safari)
uBlock Origin - Free, open-source ad blocker

uBlock Origin is a free, open-source ad blocker. Block ads on YouTube, Twitch, and across the web with low CPU and memory usage. Available for Firefox, Chrome, Edge, and more.

uBlock Origin
Show threadDavid Glover-AokiSep 26, 2023
@steinarb @jwz uBlock Origin hasn't supported Safari in literally years. It's not an option.
Show threadacbSep 26, 2023
@jwz I use 1Blocker (mostly on iOS, but it also runs on macOS); it seems pretty thorough. It being a cross-platform app is also a guarantee of purely native code with no Electron fuckery.
Show threadMatt SickerSep 26, 2023
@jwz lot of love for 1Blocker in these replies. It appears that the free version only lets you use one category of filter at a time, but there’s a two week trial you can use before buying it
Show threadMorreSep 26, 2023
@jwz uBlock Origin is my recommendation.
Show threadRick Moen 🇺🇸 🇳🇴 🇬🇧Sep 28, 2023

@jwz @dmarti : For ad-blocking on Apple Safari, perhaps look into extensions "Disconnect for Safari" and/or "Ka-Block!". (There may be others. Those are the ones I'm aware of.)

https://disconnect.me/consumer
http://kablock.com/

Show threadDon MartiSep 29, 2023

@unixmercenary @jwz

Good review for Magic Lasso on Daring Fireball too

https://daringfireball.net/linked/2020/04/12/magic-lasso-adblock

Magic Lasso Adblock

Link to: https://www.magiclasso.co/

Daring Fireball
Show threadScrumposterOct 1, 2023
@jwz
Is ublock origin not on safari ? That's what I use
Show threadjwzOct 1, 2023
@scrumposter LMGTFY
Show threadScrumposterOct 1, 2023
@jwz
Fuck off ? I'm trying to help ? You're asking a question you can answer in like 5 minutes of googling.