A feature in EtwInspector v2 will be that when you are querying providers you can pass in a string, and it will query certain ETW properties and return the providers that have a match. This will be big for anyone trying to do more advanced enumeration across ETW providers

Exploit to escape the app sandbox: 1. Drop the exploit.aar from a sandboxed app 2. open exploit.aar (quarantined) 3. open evil.zip from $TMPDIR 4. open ~/Downloads/poc.app (not quarantined) (Step 3 is killed on the latest macOS, but should work on Sonoma)

Microsoft uncovered a vulnerability, tracked as CVE-2025-31191, in macOS that could allow specially crafted codes to escape the App Sandbox without user interaction and run unrestricted on systems. msft.it/6017SRCif

Woah, training by Levin! (J)

Thrilled to announce my new Project Zero blog post is LIVE! 🎉 I detail my knowledge-driven fuzzing process to find sandbox escape vulnerabilities in CoreAudio on MacOS. I'll talk about this and the exploitation process next week offensivecon! googleprojectzero.blogspot.com/2025/05/breaki…

You can the slides for my today’s BSidesBUD 🇭🇺 talk (Apple Disk-O Party) on my site: theevilbit.github.io/talks/

Our new blog post is live: blog.dfsec.com/ios/2025/05/30…

Thank you Apple for an incredible #WWDC25! Truly proud to be part of the best developer community around

🔺iPhone models announced today include Memory Integrity Enforcement, the culmination of an unprecedented design and engineering effort that we believe represents the most significant upgrade to memory safety in the history of consumer operating systems. security.apple.com/blog/memory-in…

Checkout our blog post on “ChillyHell”. A modular backdoor for macOS that was signed and notarized by a threat actor tracked as UNC4487. jamf.com/blog/chillyhel…

Excited to hear more at OBTS! Brandon Dalton :)

By pure coincidence, my #OBTS presentation *ALSO* discusses Mac Monitor! I used to it learn about the ES API, and the tool made everything much more accessible to me. :) Admittedly, I’m using the outdated version; it truly is a stellar project. Thank you for creating and

📦 UNBOXING: Next-Gen Mac Monitor — live at #OBTS 🍏 Brandon Dalton Brandon Dalton First look: smells like fresh ES events and SwiftUI gloss. 😮‍💨✨ Inside the box: •Plug-and-play access to Apple Endpoint Security stream (no agent spelunking) •Dynamic subscriptions, filters,

Brandon (Brandon Dalton) from @crowdstrike talked about many improvements and features in his most awesome opensource tool (Mac Monitor) - ( aka Procmon for OSX ) - & even pushed out version 2 in real-time at #OBTS! Check it out if you haven’t already! github.com/Brandon7CC/mac…

Christine christine 🌸💐🌺🌷🌹🪻🍃🌱🌿🪴✨ and JBO (Jonathan Bar Or (JBO) 🇮🇱🇺🇸🇺🇦🎗️ ) (& Alexia Wilson) from Microsoft showed #OBTS how Spotlight just got too bright. 😬 They found a macOS TCC bypass (#CVE-2025-31199) that abuses Spotlight to get your private data - locally and remotely - and showed how to detect!

#OBTS v8 was so fun. Met many folks I interacted with in the past, and a lot of new folks, everyone very smart and passionate. Special thanks to Patrick Wardle for bringing the community together. 🍎