Posted on 11/10/2014 2:28:47 PM PST by SeekAndFind
Researchers have warned that a bug in Apple Inc's (AAPL.O) iOS operating system makes most iPhones and iPads vulnerable to cyber attacks by hackers seeking access to sensitive data and control of their devices.
Cybersecurity firm FireEye Inc (FEYE.O) published details about the vulnerability on its blog on Monday, saying the bug enables hackers to access devices by persuading users to install malicious applications with tainted text messages, emails and Web links.
The malicious application can then be used to replace genuine, trusted apps that were installed through Apple's App Store, including email and banking programs, with malicious software through a technique that FireEye has dubbed "Masque Attack."
These attacks can be used to steal banking and email login credentials or other sensitive data, according to FireEye, which is well-regarded in cybersecurity circles for its research.
"It is a very powerful vulnerability and it is easy to exploit," FireEye Senior Staff Research Scientist Tao Wei said in an interview.
Apple's iOS has robust security features that make it extremely difficult for attackers to install malware on devices using traditional techniques for infecting Windows machines and Android mobile devices with malicious emails and Web links. The "Masque Attack" makes that possible by exploiting a system that Apple developed to allow large organizations to deploy custom-built software without going through Apple's App Store, according to David Richardson, iOS product manager at mobile security firm Lookout.
(Excerpt) Read more at reuters.com ...
It doesn’t take a jail broken phone, just apps installed through the enterprise deployment system. It is a 5% vector, but under certain circumstances it can happen.
Just exactly how prevalent and popular must an OS be to become susceptible to hackers? iOS topped ONE BILLION USERS and this is NOT AN EXPLOIT. . . it is FUD that requires some very unlikely events including jailbreaking your phone to even start the process of compromising your data. . . then you have to download a malicious trojan app from a third party App Store, that is NOT Apple's App Store. So, exactly how many is enough for a SERIOUS hack? This just ain't it. This is laughable.
In other words,
YOU HAVE TO BE LITERALLY STUPID to be compromised.
FireEye forgot an extremely important first step before you ever get to do any of steps 1 to 3!
0) Don't JAILBREAK your iOS device.
You are so right. . . I do have a day job. You are also correct in your evaluation of this article.
This evening another client called and I spent the evening cleaning REAL malware off of a Windows 8.1 computer. LOL! I just got in a short while ago. I would have posted this FUD for the hilarity it would have generated among Apple users.
Thanks for your courtesy.
Even this doesn't work that well. . . the OS will protect the stupid by warning if someone tries to download something onto OS X that could try to get it onty iOS. . . but to get it iOS directly requires jailbreaking the device. That really requires some complicated acts on the part of the user. . . not just a mere download and install.
Yes, it does. . . the enterprise installers STILL go through Apple's CURATION. As do vertical solution Apps. They DO NOT ALLOW UN-CURATED APPS ON THE iOS SYSTEM. That is what a "walled-garden" is all about. You are really stretching.
Let's grant that it were true that apps could be deployed through the enterprise deployment system. . . do you SERIOUSLY think an IT department would allow a maliciously crafted app to be downloaded to allow the theft of their data? Really????
If you go outside the Apple Universe you are subject to greater threats.
I therefore only recommend doing so if you are comfortable supporting the IOS and capable of protecting and defending yourself against threats.
Just because the apps are "Self signed and certificated" from a corporation doesn't mean they are just willy-nilly loaded onto iOS devices. They do get some curation. And, as I said, no company IT is going to download malicious apps to their employee's phones.
After their guy's assertion that being a homos is God's greatest gift to him, I would guess we'll hear about a lot of open back doors in the OS....
Apologies...
Agreed, this particular threat is largely FUD. The vast majority of folks won't be affected by it because they don't disable Apple's security, and download apps from China.
These threads can be useful to remind folks of safe practices, but unfortunately are exploited by those who for whatever reason feel threatened by people who don't use Windows. I'm not even a Mac user, but I try to keep up with what's going on with it, because my wife and MIL are. I prefer Linux, but am happy that there are other choices for other folks.
"For WireLurker to deliver its payload, the user must install untrusted applications on a Mac; for Masque, an iOS user must install an enterprise provisioning profile," said Joe Abbey, director of software engineering at Arxan."In both cases, the user may be incentivized to trust the malware," he told TechNewsWorld. "Either they are offered free pirated software or otherwise misled to accept a certificate." — Researchers shine Spotlight on OS X/ios Masque Attack | Malware — TechNewsWorld, 11/12/2014
It is FUD.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.