Researchers Expose Critical Zero-Day Flaw In Apple’s OSX And iOS

Say that they were reported back in October.

 

After Samsung, it now seems that it is Apple’s turn to speak up about what happens to be a massive zero-day flaw (one that gets exploited by hackers before the vendor becomes aware) that exposes personal data not only from native apps, but also from sandboxed third-party apps as well.

Indeed, Apple customers are going to be asking a ton of questions about this latest security flaw that was discovered by a group of researchers back in October 2014.

The vulnerability revolves around, the research team’s ability to build and develop a malware that easily got through Apple’s App Store security checks and then allows the attacker to break into the company’s keychain (password storage), steal data from native apps and even break into third party apps that are sandboxed (meaning that one app cannot communicate with another for better security).

To begin with, the massive XARA or unauthorized cross-app resource access flaw was discovered and reported to Apple back in October. To make things worse, even Apple with all its billions did not have the time to get back to the team until they finally asked the team to withhold their research.

This Apple did this saying that the company needs about six months to fix the flaws. It was massive in scale, so massive that even third-party app developers who thought their sandboxed applications were safe, now have no clue how the their now exposed apps can be protected from the current vulnerability. In February, the Cupertino staffers requested an advanced copy of the research paper but the massive hole is has not been plugged just yet.

More importantly, this works for both iOS and Mac OS X platforms. Lead researcher Xing told the Register:

"We completely cracked the keychain service - used to store passwords and other credentials for different Apple apps - and sandbox containers on OS X, and also identified new weaknesses within the inter-app communication mechanisms on OS X and iOS which can be used to steal confidential data from Evernote, Facebook and other high-profile apps."

[Also Read: SwiftKey Leaves 600 Million Samsung Smartphones Open To Hackers]

Indeed this is something that Apple has to fix, even though the company’s current focus is on iOS 9 as revealed at the WWDC that took place recently. More importantly with the research papers up, people with wrong intentions can easily cook up something that could (or already) has millions of desktops, tablets and smartphones from Apple at risk.

Source


TAGS: Software, iOS, OS X, Apple, Security