Apple addresses XARA vulnerabilities, says fixes on the way
Apple on Friday commented on the discovery of so-called cross-app resource access (XARA) exploits, saying it rolled out a server-side security update earlier this week and is currently working with researchers on additional fixes.
In a statement provided to iMore, Apple confirmed knowledge of XARA vulnerabilities and the potential exploits they enable through malicious software on OS X and iOS. Downloaded malware, or nefarious URL schemes, intercepts data being transferred between sandboxed apps, including sensitive information like passwords and authentication keys.
"Earlier this week we implemented a server-side app security update that secures app data and blocks apps with sandbox configuration issues from the Mac App Store. We have additional fixes in progress and are working with the researchers to investigate the claims in their paper," an Apple spokesman said.
The vulnerabilities were discovered last year by a team of researchers working out of Indiana University, Georgia Tech and China's Peking University, who subsequently informed Apple of their findings last October. Apple requested details of the exploits be withheld from publication for six months.
As explained in the group's research paper, which was published this week, malicious apps take advantage of flaws in the way OS X and iOS move and store inter-app data. In the case of OS X, malware downloaded from the App Store is able to access and modify the Keychain database and Bundle IDs, the latter of which are used as a form of access control. Other attacks involve WebSockets and URL schemes.
While the threat is very real, some news outlets have perhaps overhyped XARA's danger, iMore says. In order to implement a fix, however, both Apple and developers need to rework data handling methods with more stringent protocols.
In a statement provided to iMore, Apple confirmed knowledge of XARA vulnerabilities and the potential exploits they enable through malicious software on OS X and iOS. Downloaded malware, or nefarious URL schemes, intercepts data being transferred between sandboxed apps, including sensitive information like passwords and authentication keys.
"Earlier this week we implemented a server-side app security update that secures app data and blocks apps with sandbox configuration issues from the Mac App Store. We have additional fixes in progress and are working with the researchers to investigate the claims in their paper," an Apple spokesman said.
The vulnerabilities were discovered last year by a team of researchers working out of Indiana University, Georgia Tech and China's Peking University, who subsequently informed Apple of their findings last October. Apple requested details of the exploits be withheld from publication for six months.
As explained in the group's research paper, which was published this week, malicious apps take advantage of flaws in the way OS X and iOS move and store inter-app data. In the case of OS X, malware downloaded from the App Store is able to access and modify the Keychain database and Bundle IDs, the latter of which are used as a form of access control. Other attacks involve WebSockets and URL schemes.
While the threat is very real, some news outlets have perhaps overhyped XARA's danger, iMore says. In order to implement a fix, however, both Apple and developers need to rework data handling methods with more stringent protocols.
Comments
They need something to jerk off about.
Every year I fall for ONE Apple Security Apocalypse story, and think "this is it--the big one."
It never is. But they up their game every year, hyping harder and obscuring the details just to fool me one more time...
But even so, if this is just "another little one" (possibly affecting zero users), it's still important to catch and fix the issues.
Apple's well ahead of them. Rootless is going to be huge as it continues to go into effect in OS X, and iOS 9 will be a rock.
Every year I fall for ONE Apple Security Apocalypse story, and think "this is it--the big one."
Apple won't have a large-scale attack because their desktop market share is simply too small. That's all.
Now with targeted attacks (APTs), that's already happened.
Remember, every jailbreak is a complete exploitation of the system. How many of those have we had?
But is that only doable with the knowledge of your username and password?
And yes Android has it's own issues, some even related to this.
Sometimes things are really "only about Apple". If it makes you feel better to drag Android in to over other issues that's OK too. All OS'es have issues including security related ones. There's no perfect ones If there were you wouldn't need updates.
Whether you love or loath Apple it has always been a lightning rod for oversaturated opinions one way or the other. It's simply impossible to find middle-of-the-road responses to anything published about Apple, good or bad. The same article published on a web site will see both claims that the site is always shilling for Apple and the site is a constant attacker of Apple, because, you know, haters gotta hate.
And baiters gotta bait.
So who's right and who's wrong? Neither and both. Data is data, but how it's interpreted is highly subjective to the many biases that are held by the human interpreter. People who have a dislike for Apple will see articles like the XARA vulnerability as irrefutable confirmation of everything they've held to be true about Apple. People who defend Apple will see it as just another of the continuing attacks on Apple for sins that apply to all purveyors of software and systems and wonder why Apple is being ruthlessly singled out.
This endless war of conflicting biases that has swirled around Apple since its inception has not gone unnoticed by the media. Apple is a mother lode of opportunity and a constant source of self enrichment for the media. The constant combat and oneupmanship between warring factions on either side of the Apple debate is like a gift that keeps on giving for media outlets. It's a story of David vs Goliath with a mad role reversal right in the middle! What could possibly be more compelling for story tellers? Pure gold, or at least 18 kt.
We only help this constant swirl of conflict by keeping it alive and highly energized by feeding it with opinions on sites like AI. Opportunists who seek attention, a few moments of fame, and (cough cough) continued funding for their ability to find chinks in the armor are drawn to Apple like flies to honey. Once the flies are on the honey the media is right there with them to make sure they capture their little piece of the spoils.
Hey, it could be worse. If nobody cared.
oh my god what nonsense. now I know you truly are a troll. security by obscurity? that's what you're claiming -- that Apple has somehow flown under the radar because malicious hackers had never considered OS X as a target before....besides being produced by the biggest, most successful, most popular, most admired tech firm in the history of the human race, and being home to the best collection of credit card numbers. no sir, no target on their back there... oh, and never mind that previous to OS X there were attacks and viruses created for a much lesser selling platform.
get real. seriously. go home.
Not this old saw again. The marketshare excuse for security exploits was pulled out of Bill Gates's butt back in the early days of Windows XP. The excuse is ahistoric. At the time exploits to Windows XP nearly brought Microsoft to its knees. Despite the number and seriousness of extant XP exploits, Windows 98 was actually still much more popular. Security vulnerabilities and exploits are driven by design and design flaws, not marketshare.
Exploitability and marketshare are both factors. Design determines how hard it is to write an exploit. Marketshare gives attackers motivation. Given that the vast majority of businesses run Windows, hackers would have more of an incentive to find exploits for Windows even if it were harder to exploit than OS X.
Apple won't have a large-scale attack because their desktop market share is simply too small. That's all.
Now with targeted attacks (APTs), that's already happened.
Remember, every jailbreak is a complete exploitation of the system. How many of those have we had?
A little small on the PC side of things, but with iOS Apple has a pretty big chunk of the pie and the media would love to report on that news story as well!
AI, please let us know when this exploit goes live in the wild and is affecting real users. So far none of the other Apocalyptic/Armageddon flaws have resulted in anything. And a lot of those flaws require physical access or cooperation from the user. As we all know, once the bad guy has physical possession of your machine you’re screwed no matter what. Haters gonna hate and security researchers gonna toot their horns and thump their chests.
Beyond this there’s the cultural fatalism about security and privacy that people have resigned themselves too. Forget about these operating system flaws. They require some effort. The bad guys can get all the information they want about you by hacking the IRS, SSA, Anthem Blue Cross, Home Depot, and just about any other company with leaky servers and misconfigured security protections. Corporate IT types are massively incompetent even as they comment on forums like this about how many years they’ve been in the business and how smart they are and how they know everything. And then some Russian teenager pwns their server.
The timing of Apple's server fix almost proves that media exposure works... a fix just this week, right after XARA was exposed in the media? It's been more than 6 months, so why the sudden magical fix to the server?