“Researchers from Indiana University and the Georgia Institute of Technology said that security holes in both iOS and OS X allow a malicious app to steal passwords from Apple’s Keychain, as well as both Apple and third-party apps,” Ben Lovejoy reports for 9to5Mac. “The claims appear to have been confirmed by Apple, Google and others.”
“The Register says the team reported the flaws to Apple in October of last year. At that time, Apple said that it understood the seriousness of the flaws and asked the researchers to give it six months to address them before the exploit was made public,” Lovejoy reports. “In February, Apple requested an advance copy of the paper, yet the flaws remain present in the latest versions of both operating systems.”
Read more in the full article here.
“The team was able to upload malware to the Apple app store, passing the vetting process without triggering alerts that could raid the keychain to steal passwords for services including iCloud and the Mail app, and all those store within Google Chrome,” Darren Pauli reports for The Register. “Some 88.6 percent of 1612 Mac and 200 iOS apps were found ‘completely exposed’ to unauthorised cross-app resource access (XARA) attacks allowing malicious apps to steal otherwise secure data.”
Read more in the full article here.
MacDailyNews Take: Let’s be careful out there.
Hopefully, Apple will have a response ASAP.
But hey, Tim Cook is doing so great. Look at that watch, and Beats and the new Fonts and the single port MacBook.
Maybe we should ask Jony about The software since he is in charge. Oh, that’s right, he is a stylist- not a software engineer.
So if you hate the people at Apple, just go away!
I don’t hate the people at Apple, I expect that they TCB.
Focusing on fashion while zero day flaws exist is not taking care of business.
Stop being a blind fanboy. Apple markets itself as a premium product and charges accordingly. That means they should be held to a higher standard.
Do better reading before you go screaming that Apple is not doing enough.
The is a TWO part problem. Both parts of the exploit vector are necessary to work in order for there to be a problem. 1) a malicious app must get through the App Store, 2) the vulnerability must exist in iOS or Mac OS.
It is entirely possible that Apple changed the App screening process to stop step 1). Apple updates that process quite regularly. You just don’t hear about it.
If they’ve stopped step 1) they have some breathing room to fix step 2). They do need to fix it as someone else will eventually figure out how to exploit it without step 1).
But running around claiming the sky is falling when you only have part of the full story is asinine.
After reading both articles the researchers have claimed that the exploit is able to get past the vetting process. It is unclear whether Apple has fixed the vetting process and how many ‘test’ Apps the researchers have posted. The vulnerability continues to exist according to the 2nd article and that none of the 3 (Apple, Google, AgileBits) were able to fix it. The ‘best’ and only response for the exploit to date was taken by Google’s Chromium team by removing keychain integration from Chrome.
“So if you hate the people at Apple, just go away!”
I don’t think that person hates the people at Apple. He or she probably perceives that the jobs they are doing aren’t as good as when Jobs was running Apple. And he or she probable hates this.
What auramac said.
I have owned Applestock longer than Cook has been in the company. I have used Apple products since before Steve Jobs left Apple.
BTW sparky, still have your Windows XP box youswitchedti the Mac from?
Per DavGreg’s comment: I’m an Apple fan–perhaps a bit of an A-nut and, though I may not have written with the same level of sarcasm, DavGreg’s comment has some validity and the fanbois who can’t embrace some of this type of criticism, are blind cheerleaders. After all, we’re close to 9 months post awareness of a major security flaw and the hole is still agape? One of Apple’s long-standing desirables was no viruses and good security. Frankly, if I don’t have security, I could care less about features and fine patents and the billions should be thrown with gale force at these blems. You’ve got a point DavGreg–from a could-be-fanbois.
To ripabo and davgreg,
Guys, we all want Apple to be great and PERFECT and…. but show me a system out there that is better! ??????? crickets??
There are a lot of people at Apple and most are working on critical items and some are working on more visual items. And no system is ever perfect. 99.5% of us here are NOT fanboys but we do not bitch and moan over EVERY lack of perfect thing in Apple either.
PS, if you want total security, its easy, NEVER connect to the internet, NEVER use wireless, and NEVER buy any software you do not write your self. To go further, never turn on the computer. There. Perfect. oh wait, it collects dust…. DAMN Apple… why can’t you be dust free… LOL
Just saying.
blind fanboi | fanboy: noun phrase
an uncritical admirer; especially one who, through confirmation bias, overlooks a flaw deemed critical by me, and by every other serious person
Moron. Jony is not in charge of software, he’s in charge of UI design. That other guy, what’s his name, oh yeah… Craig Federighi is Vice President of Software Engineering. And guess what? He is a software engineer.
Is that why IMAP email still is fucked up, people have daily wireless issues and there are zero day holes in the OSes?
OMFG, how many times have we gone over the IMAP situation?
BLAME GOOGLE. They screwed up IMAP, not Apple. Research it for yourself.
My Gmail account works fine. My Comcast- not so much.
Ah. That is not within my knowledge realm, so I defer to your experience.
I have att.net (Yahoo), Outlook (Hotmail), GMail (Junk account), iCloud (Mobile Me), Comcast, and then a couple of work accounts (Exchange). The only one currently giving me problems on Apple Mail is the Comcast.
Using the Postbox client fixes the problem, so it is obviously fixable.
I am pretty sure that the threat to our online world hurts every operating system and has nothing to do with the cost of the item. MS charged a lot for their software and looked what happened with that. Sure Apple needs to fix this pronto, and they will need to fix the next exposure too. This is going to be never ending but at least Apple is making security a top priority as shown by the developer conference just concluded.
The WWDC keynote was about The Watch, the stupid rental Music Service, some idiot calling himself Drake, a poseur/hanger on (Bovine), a crazy Cuban who is seemingly clueless as to how to do music (Cue) and a new Font on the Mac.
A Developer conference.
DavGreg: This isn’t troll town. This also isn’t a political forum. Please mellow out.
Apple has marketed itself as a secure platform and a premium product. In the Cook era, styling seems more important than function or safety.
That is not trolling- it is simple fact.
Apple’s falling on their ass over security is NOT new to the Cook era. But I certainly agree with your sentiment otherwise. You’ll see I’ve posted my own rant on the subject below. Apple’s blatant ignoring and enabling of ongoing security flaws has got to stop.
“They say almost all XARA flaws arise from Apple’s cross-app resource sharing and communication mechanisms such as keychain for sharing passwords, BID based separation, and URL scheme for app invocation, which is different from how the Android system works.”
This is truly an Apple specific flaw and in a core system mechanism to boot. Quite understandable that it will take a while to fix. If I had to make an analogy, maybe trying to fix the entire lymph-node system in a human body. The only current option for a ‘quick-fix’ patch would be to remove cross-application resource access altogether.
I’m not going to be any expert on the coding details of XARA.
What’s in contention right how is Apple asking for 6 months to fix the flaw, their estimate, and FAILing to do so. They know the consequences. I have ZERO sympathy for Apple in this respect and neither should anyone else. Enabling Apple to be lazy asses regarding security is a TERRIBLE idea and I reject any arguments to the contrary. All of us should be KICKING Apple in the ass to get moving and solve this permanently in a timely manner. This state of affairs is entirely unacceptable. All the bad publicity on Apple about XARA is entirely deserved. Deal with it.
Meanwhile, for the average user, there is nothing live in-the-wild. There is NO reason to panic. No FUD required. My colleague Thomas Reed covered this beautifully:
http://www.thesafemac.com/multiple-vulnerabilities-found-in-mac-os-x/
If they put together a core group of programmers that were involved in that mechanism of the OS and are given the freedom to tear everything apart to fix it (in effect possibly requiring a huge chunk of Apps in the App store to be suspended till updated by the developer when the ‘fixed’ OSes are released to users). The question is how much is Apple willing to risk to get it done in short order.. Curious that the article you linked only mentioned the exploit in Mac OS X and never mentions iOS.
Both Thomas Reed and I focus on Mac security. Thus the name of his website and the name of my related blog. That’s our main audience. That’s the only reason.
Ah, got it.. 😀
Jony Ive is “a stylist”??? What a clueless wonder you are.
You know the saying that if you don’t know something, it’s better to remain silent than to confirm it by speaking out? Well, you should start living it chump.
Troll.
They were notified in October 2014, 7 and a half months ago. If that’s high priority, I can’t imagine what they take for low priority issues…
Fix time has nothing to do with priority level. If it’s an issue in the core of the system (and it sounds as if it is) then there might be a lot of changes needed to fix the problem.
Sometimes software bugs can be an easy fix, like patching a hole in a tire, but other times it could be more like replacing a card in a house of cards, especially if it’s part of the foundation… removing it could affect every other card.
Exactly Saldin. And this isn’t the only sizzling security hole Apple has shoved on the back burner. This now makes SIX security holes (by my count) that Apple has yet to repair in public. (Thankfully, they’re addressing a couple of these in El Capitan).
IOW: I hearby make my personal announcement that Apple’s software security division is again: DREADFUL. I cannot fathom why they’re being so outrageously LAZY about OS X and iOS security. Do we really need Dr. Charlie Miller, Dino A. Dai Zovi et al. to shame Apple into getting serious again about security? Why does Apple require having it’s ass kicked to get moving? This is silly.
Derek, so you are saying that Linux and Microsoft are much safer and more secure than Apple??? Are you changing anytime soon to be more safe???
PS, are you a developer or programmer so you understand how much it will require to get this done???
C’mon! That’s a slippery slope fallacy.
Microsoft and the Linux community’s track record on security have nothing to do with the fact that Apple has not produced a fix to a serious security vulnerability in 7 and a half months.
Um, huh?! What exactly does Linux or Microsoft have to do with anything I said? Nothing, actually.
And yes, I’ve done enough work with software development and project management to definitively say that Apple is sitting on the ass right now regarding security. On Their Ass. Does that define it well enough for you?
Ugh, glad I didn’t share the security flaw story but with Samsung devices yesterday, this would’ve been thrown back in my face today.
Glass houses and throwing rocks and all that…
It was almost an identical story: company notified about issue over half a year ago, asked for a few months to fix it, researchers checked again recently and flaw was still present, company asked researchers to delay announcing another few months…
There has been too much of this type of thing in the last couple of years. Apple needs to do some major screw tightening. Get things in order, proper order. Lots of distractions lately. They should make software priority number one… everything else depends on it. Apple should not be experiencing this type of snafu. Get it together Cupertino…
I disagree. More than a few years. Apple does not take all software seriously.
Anything with keychains is not a joke.
its highly possible that Apple did investigate and found that the problem isn’t quite as serious as its being made out to be. how often do these things get blown out of proportion, only to find out later it really wasn’t that big a deal in the first place..
I suppose you would give the same benefit of the doubt to Google or Samsung? 😛
While everyone demanding fix is correct in that this really needs to be fixed, we need to put it in perspective. We still don’t have an actual exploit in the wild, nobody’s password has yet been stolen as a consequence of this and it seems that the damages are yet to materialise. So, yes, while this really needs to be fixed, it may really look like a window without metal bars in a ladies’ room in a max-security prison; while theoretically a prisoner might be able to escape, nobody has yet, and it is unlikely that anyone will until the window is fixed, since the prisoners can’t really see from the inside that the window has no bars and is a potential escape route.
Waiting until there’s an exploit in-the-wild is worthy of stupid Adobe and Oracle. UNacceptable.
And as I’ve been pointing out repeatedly: Apple’s pile of UNaddressed security holes is PILING UP! My current count is SIX. WTF is their problem?
Oh and also worthy of stupid Google.
Apple, do you really want to keep company with these security lazy bums?
Have you considered that it may already be in the wild but that the perpetrators will collect information for a LONG time before making full use of the collected data? By then it will really be too late for any fix..
Reading more about XARA, I think a more fitting prison analogy for this exploit is XARA as the system of guards and lockdown security that allows prisoners (apps and data) to move around the facility. The exploit in this analogy takes the form of a bribed guard (exploit/trojan) that can get clearance (App store review) to enter/be assigned to the facilty (device) and intercept/pass messages between prisoners and the outside. Nothing as simple as a bad window in a ladies room..
If they requested 6 months I wonder if it will only be fixed in 10.11? Older OS’s better get a fix as well!
Just so we don’t have to feel all that bad today:
New exploit turns Samsung Galaxy phones into remote bugging devices
As many as 600 million phones vulnerable to remote code execution attack.
As many as 600 million Samsung phones may be vulnerable to attacks that allow hackers to surreptitiously monitor the camera and microphone, read incoming and outgoing text messages, and install malicious apps, a security researcher said.
The vulnerability is in the update mechanism for a Samsung-customized version of SwiftKey, available on the Samsung Galaxy S6, S5, and several other Galaxy models. When downloading updates, the Samsung devices don’t encrypt the executable file, making it possible for attackers in a position to modify upstream traffic—such as those on the same Wi-Fi network—to replace the legitimate file with a malicious payload….
“” Told you so”””!!!!! Ad nauseam, I might add.
I’ve never used Keychain for all the years it has existed because one exploit spills all the beans.
Vindicated!
Actually, not using Keychain will not prevent the exploit from affecting you.. As long as you have ANY apps on your iOS or OS X device that use the cross-application resource access mechanism core to both OSes you are not safe from the exploit. That’s how serious this problem is.
Wil jij ook weleens genieten van gratis sexdates? Maak dan nu je profiel en geniet van gratis sex in je eigen woonplaats!