Would any one of the critics dumping on Apple here please let us know when this exploit goes live in the wild? And while you’re at it please provide links showing when any of the recently announced security flaws were found in the wild attacking OS X users. The problem with all these announcements is that they turn out to be overblown hand wringing that never materializes. Take a gander at the Apple discussion forums. Close to 100% of the complaints are about MacKeeper and adware. Think about it. If these exploits were attacking Mac users in significant numbers wouldn’t the tech universe be lit up like a Christmas tree. The iHater crowd lives for this stuff and they would be trumpeting it at the top of their lungs.
Nevermind this; when is Apple going to do something about the obvious flaws in their systems that allows people to actually WRITE DOWN their passwords on a piece of paper? Those pieces of paper can easily be exploited by anyone that gets access to them! Com'on Apple!
No comments on the Samsung keyboard flaw that leaves 600 million phones vulnerable?
Yup. Posted yesterday and yet many tech sites aren't reporting it, but have already reported this Apple story.
Samsung has known since Dec 2014 and only released a patch in early 2015. Which STILL hasn't hit most devices because the carriers are so damned slow. They tried it on brand-new Galaxy S6 devices and the flaw was still present.
Would any one of the critics dumping on Apple here please let us know when this exploit goes live in the wild? And while you’re at it please provide links showing when any of the recently announced security flaws were found in the wild attacking OS X users. The problem with all these announcements is that they turn out to be overblown hand wringing that never materializes. Take a gander at the Apple discussion forums. Close to 100% of the complaints are about MacKeeper and adware. Think about it. If these exploits were attacking Mac users in significant numbers wouldn’t the tech universe be lit up like a Christmas tree. The iHater crowd lives for this stuff and they would be trumpeting it at the top of their lungs.
I'm already seeing calls on Twitter for Tim Cook to fire people. And yet no evidence of one person being exploited due to this flaw.
Every time one of these things comes out we only get one side of the story and everyone automatically piles on Apple only knowing one side of the story.
Here is the other side of the story, Apple has known about a serious security problem for six months and not only has it not been fixed, they haven't even bothered to put a press release together saying what the plan is to resolve this issue in Yosemite or El Capitan.
At the same time, exploits like these really should get top priority. Asking for an extension to public release of the info is great, but then you really should get the damn things patched in that time. Hackers have had that much more time to potentially exploit them.
They do. It takes months to modify security architectures to incorporate these end cases. These end cases take years to exploit and people crap the bed when they are discovered.
because that has nothing to do with a possible exploit on Apple devices.
Not here, no. But on tech "neutral" sites it's interesting how this story was reported almost immediately after it was known, while a large number of sites still haven't reported on the Samsung flaw, which is originally posted yesterday.
Just more evidence that proves bad news about Apple gets hits.
So Apple has known about this since last Oct. but has not addressed it in any updates? Cook is going around making grandious speeches about security, but not staying on top of things in his own backyard. Sounds just like a politician.
What makes you think Apple is doing nothing. As the article said, the fixes for these are probably really complex and complicated and may fundamentally change the way the OS works with regards to app bundles, inter-app communications, etc. Such changes are not necessarily easy to implement and get tested correctly. I suspect they have been feverishly working on it since October.
Of course they have not said anything -- no need to clue bad guys into the problem. Now that the researchers have released the info, I suspect Apple may say something.
Here is the other side of the story, Apple has known about a serious security problem for six months and not only has it not been fixed, they haven't even bothered to put a press release together saying what the plan is to resolve this issue in Yosemite or El Capitan.
-kpluck
Yes, I am sure the researchers explicitly coordinated their press release with Apple and Apple just decided to do nothing. And I am sure Apple has just been ignoring the problem, instead of trying to figure out fixes for fundamental architectural issues, which as we all know, are easy to fix. /s
It's been 8 months since Apple was notified of the flaw, with the researchers giving Apple another two months on top of the original six agreed on before the flaw was published. In February, Apple requested an advance copy of the research paper, which presumably would indicate they were working on a fix. For whatever reason it's taking a bit longer than Apple typically takes to fix these things isn't it?
EDIT: If you read the research paper you'll find that Apple did make one at least one change to address the iCloud vulnerability with 10.10.3 and 10.10.4, moving to a "9-digit random number as account:name". Unfortunately that didn't work to fix it according to the study.
So Apple has known about this since last Oct. but has not addressed it in any updates? Cook is going around making grandious speeches about security, but not staying on top of things in his own backyard. Sounds just like a politician.
hmm can you please quote one of these gardenias security speeches? that'd be great. thanks.
Thanks for the report on this, AI. Someone has been changing, then re-changing, a lot of my passwords, sometimes minutes after I have changed them myself. This has caused my so much anguish. I've given up with iCloud, it causes so much stress.
Every time one of these things comes out we only get one side of the story and everyone automatically piles on Apple only knowing one side of the story.
It's only one side of this story that interests us, surely? All we need to hear from Apple is that it's fixed. They can keep their platitudes to themselves.
This could have read, "If you see a prompt for a password and are not installing something, then don't.."
Which, umm.. is basically how it has always been. You literally have to give this exploit permission first before it can do anything.
Way overblown as it's not able to 'userp' EXISTING keychain passwords. AS THE TITLE IMPLIED! Only if it's creating a NEW keychain, and only by installing something with bad / malice code, would this work.
Another sensationalist click'n bait article.. bah..
Actually, that is not how it works. True it can not steal existing passwords, but it can erase the existing password for another application, re-create the entry with empty password, entry that it now has permission to read. Now when you start that other application that had previously saved password, it will prompt you for password since the value is now empty. If you re-type the password, both application you are running and the malicious application have access to it.
For example, let's say you use Safari to access your bank site. You save the password for the bank in your keychain. You now install malicious application that when run deletes Safari's keychain and creates new Safari keychain entry that both it and Safari can read.
You now start Safari and go to your bank site. Normally password would be read form keychain and filled in the form, but since rouge app deleted the entry there is no password, so you must re-enter it on the form. Safari now saves the password in the keychain, but rouge application now has access to it as well.
This is much more subtle and harder to detect. You need to remember that you had already entered the password for your bank before and that Safari not filling bank website password is strange!! With how many users will that trigger suspicion?
It's been 8 months since Apple was notified of the flaw, with the researchers giving Apple another two months on top of the original six agreed on before the flaw was published. In February, Apple requested an advance copy of the research paper, which presumably would indicate they were working on a fix. For whatever reason it's taking a bit longer than Apple typically takes to fix these things isn't it?
EDIT: If you read the research paper you'll find that Apple did make one at least one change to address the iCloud vulnerability with 10.10.3 and 10.10.4, moving to a "9-digit random number as account:name". Unfortunately that didn't work to fix it according to the study.
And so the problem is a lot trickier to fix.
There is no exploit in the wild, and going by other similar storms in a teacup, there probably won't be.
So I'm happy for them to take their time and not introduce a host of other problems while fixing this one.
I also question the ethical logic used by researchers in giving companies like Apple six months to fix something before releasing it to the bad guys. This obviously endangers users. Maybe it’s hard to fix and will take more than six months. Why couldn’t the researchers keep in touch with the companies they examine to see if progress is being made? Why not allow additional time if progress is happening.
Apple was advised about it in October. Apple asked that the team wait six months before publicising it. Then they talked again in November to share more information with Apple. Then again in February where they gave Apple an advance copy of the finished report. The six months was up in April.
That the researchers seem to have waited yet another 2 months before publishing is commendable really, at least IMO
Comments
Would any one of the critics dumping on Apple here please let us know when this exploit goes live in the wild? And while you’re at it please provide links showing when any of the recently announced security flaws were found in the wild attacking OS X users. The problem with all these announcements is that they turn out to be overblown hand wringing that never materializes. Take a gander at the Apple discussion forums. Close to 100% of the complaints are about MacKeeper and adware. Think about it. If these exploits were attacking Mac users in significant numbers wouldn’t the tech universe be lit up like a Christmas tree. The iHater crowd lives for this stuff and they would be trumpeting it at the top of their lungs.
Nevermind this; when is Apple going to do something about the obvious flaws in their systems that allows people to actually WRITE DOWN their passwords on a piece of paper? Those pieces of paper can easily be exploited by anyone that gets access to them! Com'on Apple!
No comments on the Samsung keyboard flaw that leaves 600 million phones vulnerable?
Yup. Posted yesterday and yet many tech sites aren't reporting it, but have already reported this Apple story.
Samsung has known since Dec 2014 and only released a patch in early 2015. Which STILL hasn't hit most devices because the carriers are so damned slow. They tried it on brand-new Galaxy S6 devices and the flaw was still present.
I'm already seeing calls on Twitter for Tim Cook to fire people. And yet no evidence of one person being exploited due to this flaw.
The easiest solution is simply never download any sketchy apps from unknown sources.
Every time one of these things comes out we only get one side of the story and everyone automatically piles on Apple only knowing one side of the story.
Here is the other side of the story, Apple has known about a serious security problem for six months and not only has it not been fixed, they haven't even bothered to put a press release together saying what the plan is to resolve this issue in Yosemite or El Capitan.
-kpluck
This exploit has to be installed first and it only discovers NEW passwords used during the new malicious keychain. Old passwords are not taken.
They do. It takes months to modify security architectures to incorporate these end cases. These end cases take years to exploit and people crap the bed when they are discovered.
because that has nothing to do with a possible exploit on Apple devices.
Not here, no. But on tech "neutral" sites it's interesting how this story was reported almost immediately after it was known, while a large number of sites still haven't reported on the Samsung flaw, which is originally posted yesterday.
Just more evidence that proves bad news about Apple gets hits.
So Apple has known about this since last Oct. but has not addressed it in any updates? Cook is going around making grandious speeches about security, but not staying on top of things in his own backyard. Sounds just like a politician.
What makes you think Apple is doing nothing. As the article said, the fixes for these are probably really complex and complicated and may fundamentally change the way the OS works with regards to app bundles, inter-app communications, etc. Such changes are not necessarily easy to implement and get tested correctly. I suspect they have been feverishly working on it since October.
Of course they have not said anything -- no need to clue bad guys into the problem. Now that the researchers have released the info, I suspect Apple may say something.
Here is the other side of the story, Apple has known about a serious security problem for six months and not only has it not been fixed, they haven't even bothered to put a press release together saying what the plan is to resolve this issue in Yosemite or El Capitan.
-kpluck
Yes, I am sure the researchers explicitly coordinated their press release with Apple and Apple just decided to do nothing. And I am sure Apple has just been ignoring the problem, instead of trying to figure out fixes for fundamental architectural issues, which as we all know, are easy to fix. /s
By the way, for those that missed the link to the research:
https://drive.google.com/file/d/0BxxXk1d3yyuZOFlsdkNMSGswSGs/view
EDIT: If you read the research paper you'll find that Apple did make one at least one change to address the iCloud vulnerability with 10.10.3 and 10.10.4, moving to a "9-digit random number as account:name". Unfortunately that didn't work to fix it according to the study.
hmm can you please quote one of these gardenias security speeches? that'd be great. thanks.
most unlikely.
Every time one of these things comes out we only get one side of the story and everyone automatically piles on Apple only knowing one side of the story.
It's only one side of this story that interests us, surely? All we need to hear from Apple is that it's fixed. They can keep their platitudes to themselves.
So
This could have read, "If you see a prompt for a password and are not installing something, then don't.."
Which, umm.. is basically how it has always been. You literally have to give this exploit permission first before it can do anything.
Way overblown as it's not able to 'userp' EXISTING keychain passwords. AS THE TITLE IMPLIED! Only if it's creating a NEW keychain, and only by installing something with bad / malice code, would this work.
Another sensationalist click'n bait article.. bah..
Actually, that is not how it works. True it can not steal existing passwords, but it can erase the existing password for another application, re-create the entry with empty password, entry that it now has permission to read. Now when you start that other application that had previously saved password, it will prompt you for password since the value is now empty. If you re-type the password, both application you are running and the malicious application have access to it.
For example, let's say you use Safari to access your bank site. You save the password for the bank in your keychain. You now install malicious application that when run deletes Safari's keychain and creates new Safari keychain entry that both it and Safari can read.
You now start Safari and go to your bank site. Normally password would be read form keychain and filled in the form, but since rouge app deleted the entry there is no password, so you must re-enter it on the form. Safari now saves the password in the keychain, but rouge application now has access to it as well.
This is much more subtle and harder to detect. You need to remember that you had already entered the password for your bank before and that Safari not filling bank website password is strange!! With how many users will that trigger suspicion?
http://fox6now.com/2015/06/17/major-security-flaw-impacts-600-million-samsung-galaxy-phones/
And so the problem is a lot trickier to fix.
There is no exploit in the wild, and going by other similar storms in a teacup, there probably won't be.
So I'm happy for them to take their time and not introduce a host of other problems while fixing this one.
That the researchers seem to have waited yet another 2 months before publishing is commendable really, at least IMO