Posted on 06/17/2015 10:06:37 AM PDT by Swordmaker
Its become almost axiomatic that Apple AAPL -0.57% devices and the apps on them are more secure than the competition. But researchers continue to blow up that notion and today a group of academics have ripped apart the security protections in Mac OS X and iOS to show its not only possible to create malware and get it onto the App Store, but its also feasible to launch devastating attacks using rogue software to steal the most sensitive personal data around, from iCloud passwords and Evernote notes to dodgy selfies and more.
The attacks, known as unauthorized cross-app resource access or XARA, expose design flaws that allow a bad app to access critical pieces of data in other apps. As a result, Apple has struggled to fix the issues, according to a paper released today from Indiana University Bloomington, Peking University and the Georgia Institute of Technology.
Analysis of 1,612 of the most popular Mac apps and 200 iOS apps found more than 88.6 per cent of the kit using the flawed pieces of the operating systems were exposed to the XARA attacks, leaving all kinds of data out in the open for willing hackers.
(Excerpt) Read more at forbes.com ...
DEVASTATING!
I’m guessing the FR AAPL-can-do-no-wrong crowd will be laying low on this one.
If you want on or off the Mac Ping List, Freepmail me.
Tsk Tsk it’s all a plot by the Evil Bill Gates.
Good thing you are here then else Swordmaker would surely cover this one up.
I do what I can, in my quiet, modest way.
In the last six months I am starting to see some inventive screen lock up pop ups that the only way out of is to kill the whole Safari browser with a force quit. My wife got one searching doll clothes sites.
Do you think we are going to see a Safari patch that will lock such pop ups out of opening or do you think it is still something that is going to have to get a lot more perverse before it reaches a remedy?
Screen lock-up pop ups? Not sure I’ve ever seen on - except many years ago on a work Windows machine using Internet Explorer... was a malware attack from a web site.
I’ve seen some pervasive pop-ups, but rarely see any these days. I use Safari’s built-in pop-up controller.
Those really are not lock ups. . . they are just scores of duplicate windows opened on the same tab using Java script and will not let go until you agree to their ransom ware demands. They will work on Windows machines using a different approach as well. Attempting to close one opens more. But you are right, the way to get out of it is to force quit Safari and then not re-open that page which has a malicious ad on it. The problem is in Java script. An update to Java Script will eventually fix the problem. It is not the website that has any control of it. Google Ads puts the malicious ad on the website. In the meantime, go into Safari preferences and disallow running Java scripts.
Use AdBlocker and that also is effective in preventing this from occurring on all browsers in OS X.
Sorry I took so long getting back to comment on these claims. While there are some vulnerabilities here, the biggie is the claim that they were able to get iCloud tokens. . . implying that gets them into a user account on iCloud. That is not true.
An iCloud "token" is the handshake ID that is used when Apple's App Store connects to the computer to download software from the App store to assure that the user is legitimate and the iCloud connection are both legitimate.
The iCloud token DOES NOT allow a hacker access to a user's iCloud account data, which the article implies. To access the data in an iCloud account requires the user's iCloud user name and iCloud password which are NOT stored in the Keychain as the iCloud Token is stored. The user's password, which is entangled with the UUID of the device is used to encrypt the data on iCloud and cannot be decrypted by any external computer and must be decrypted on the user's computer.
All these researchers demonstrated was the ability to steal the handshake token that would allow them to download software from Apple or create a Man-in-the-middle server to allow downloading of malicious software onto this single Mac.
However, to accomplish that the Mac had to have malicious software ALREADY downloaded on it to steal the token in the first place.
They were able to poison THEIR Mac's keychain because they already had access to that Mac. However, getting access to poison someone else's Mac's keychain is problematic.
There is the failure point of these vulnerabilities. How do they initiate the exploits? They need to get their poison program onto the Mac to poison the keychain.
The researchers postulate that it would be easy to get malicious software onto Apple's App store. They give no examples of such software ever being posted by Apple. . . and blithely claim that they were able to "post" such malicious apps on Apple's Mac App store. That WILL get each and everyone of them blacklisted for life by Apple now that they have publicly admitted hiding deliberately malicious code in an App. They have actually admitted to a criminal felony by doing such a thing. Frankly, I find that hard to believe because of the difficulty in getting certification for posting Apps on the Mac store. Perhaps it is true, but it would NOT remain there long, once even a few instances of exploits in the wild were reported.
Again, this gets back to letting a TROJAN onto your system to start the daisy chain of exploits. Apple does have to do more in checking the Apps' sub-programs allowed on the App Stores, but I think they are doing a pretty good job now. Finally, don't download Apps from untrusted sources and you will probably be OK.
+1
Good sane advice.
This article is too over the top and breathless for me to take at face value. I expect that in time it will either get debunked as at least partially fraudulent, or as you pointed out the researchers will be outed as having done something illegal or at least worthy of lifetime banning.
I dunno... the article just strikes me overall as being quite over-hyped and low on actual import. But your good advice stands.
"There is some good news: the Keychain items you already have stored dont appear to be susceptible to the exploit, only new ones that are created after a malicious app is installed." The Next Web.Com
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.