Apple addresses XARA vulnerabilities, says fixes on the way

Posted:
in macOS edited June 2015
Apple on Friday commented on the discovery of so-called cross-app resource access (XARA) exploits, saying it rolled out a server-side security update earlier this week and is currently working with researchers on additional fixes.




In a statement provided to iMore, Apple confirmed knowledge of XARA vulnerabilities and the potential exploits they enable through malicious software on OS X and iOS. Downloaded malware, or nefarious URL schemes, intercepts data being transferred between sandboxed apps, including sensitive information like passwords and authentication keys.

"Earlier this week we implemented a server-side app security update that secures app data and blocks apps with sandbox configuration issues from the Mac App Store. We have additional fixes in progress and are working with the researchers to investigate the claims in their paper," an Apple spokesman said.

The vulnerabilities were discovered last year by a team of researchers working out of Indiana University, Georgia Tech and China's Peking University, who subsequently informed Apple of their findings last October. Apple requested details of the exploits be withheld from publication for six months.

As explained in the group's research paper, which was published this week, malicious apps take advantage of flaws in the way OS X and iOS move and store inter-app data. In the case of OS X, malware downloaded from the App Store is able to access and modify the Keychain database and Bundle IDs, the latter of which are used as a form of access control. Other attacks involve WebSockets and URL schemes.

While the threat is very real, some news outlets have perhaps overhyped XARA's danger, iMore says. In order to implement a fix, however, both Apple and developers need to rework data handling methods with more stringent protocols.
«1

Comments

  • Reply 1 of 31
    Perhaps overhyped? They've blasted it everywhere. The Flipboard resident trolls have had a field week.
  • Reply 2 of 31
    mdriftmeyermdriftmeyer Posts: 7,503member
    Perhaps overhyped? They've blasted it everywhere. The Flipboard resident trolls have had a field week.

    They need something to jerk off about.
  • Reply 3 of 31
    Apple is so doomed, it's already dead. The media just hasn't picked up the story yet. Apple, Inc 1976-2015. May you rest in eternal doom.
  • Reply 4 of 31
    It affects Android too.... your turn Google.
  • Reply 5 of 31
    nagrommenagromme Posts: 2,834member
    Dag Nabbit! They got me again!

    Every year I fall for ONE Apple Security Apocalypse story, and think "this is it--the big one."

    It never is. But they up their game every year, hyping harder and obscuring the details just to fool me one more time...

    But even so, if this is just "another little one" (possibly affecting zero users), it's still important to catch and fix the issues.
  • Reply 6 of 31
    nagromme wrote: »
    Dag Nabbit! They got me again!

    Every year I fall for ONE Apple Security Apocalypse story, and think "this is it--the big one."

    It never is. But they up their game every year, hyping harder and obscuring the details just to fool me one more time...

    But even so, if this is just "another little one" (possibly affecting zero users), it's still important to catch and fix the issues.

    Apple's well ahead of them. Rootless is going to be huge as it continues to go into effect in OS X, and iOS 9 will be a rock.
  • Reply 7 of 31
    konqerrorkonqerror Posts: 685member
    Quote:
    Originally Posted by nagromme View Post



    Every year I fall for ONE Apple Security Apocalypse story, and think "this is it--the big one."

     

    Apple won't have a large-scale attack because their desktop market share is simply too small. That's all.

     

    Now with targeted attacks (APTs), that's already happened.

     

    Remember, every jailbreak is a complete exploitation of the system. How many of those have we had?

  • Reply 8 of 31
    The user and all related content has been deleted.
  • Reply 9 of 31
    konqerror wrote: »
    Apple won't have a large-scale attack because their desktop market share is simply too small. That's all.

    Now with targeted attacks (APTs), that's already happened.

    Remember, every jailbreak is a complete exploitation of the system. How many of those have we had?

    But is that only doable with the knowledge of your username and password?
  • Reply 10 of 31
    gatorguygatorguy Posts: 24,176member
    bobf4321 wrote: »
    It affects Android too.... your turn Google.
    Android isn't exposed in the same way because of different sandboxing methods than Apple uses. In Android each app has a unique ID helping to keep them isolated from each other. Apple uses a bundled ID derived from your AppleID along with shared credentials. Android doesn't use shared credentials. That sharing is what led to this particular problem. Because it's a basic design feature of Apple's OS I can understand why it may be difficult to fix.

    And yes Android has it's own issues, some even related to this.
  • Reply 11 of 31
    mr. memr. me Posts: 3,221member
    konqerror wrote: »
    Apple won't have a large-scale attack because their desktop market share is simply too small. That's all.

    Now with targeted attacks (APTs), that's already happened.

    Remember, every jailbreak is a complete exploitation of the system. How many of those have we had?
    Not this old saw again. The marketshare excuse for security exploits was pulled out of Bill Gates's butt back in the early days of Windows XP. The excuse is ahistoric. At the time exploits to Windows XP nearly brought Microsoft to its knees. Despite the number and seriousness of extant XP exploits, Windows 98 was actually still much more popular. Security vulnerabilities and exploits are driven by design and design flaws, not marketshare.
  • Reply 12 of 31
    mr. memr. me Posts: 3,221member
    gatorguy wrote: »
    Android isn't exposed in the same way because of different sandboxing methods than Apple uses. In Android each app has a unique ID helping to keep them isolated from each other. Apple uses a bundled ID derived from your AppleID along with shared credentials. Android doesn't use shared credentials. That sharing is what led to this particular problem. Because it's a basic design feature of Apple's OS I can understand why it may be difficult to fix.

    And yes Android has it's own issues, some even related to this.
    Brilliant analysis. Its only flaw is that Android has more exploits and they are more serious.
  • Reply 13 of 31
    gatorguygatorguy Posts: 24,176member
    mr. me wrote: »
    Brilliant analysis. Its only flaw is that Android has more exploits and they are more serious.
    It's only flaw? 8-)

    Sometimes things are really "only about Apple". If it makes you feel better to drag Android in to over other issues that's OK too. All OS'es have issues including security related ones. There's no perfect ones If there were you wouldn't need updates.
  • Reply 14 of 31
    dewmedewme Posts: 5,335member

    Whether you love or loath Apple it has always been a lightning rod for oversaturated opinions one way or the other. It's simply impossible to find middle-of-the-road responses to anything published about Apple, good or bad. The same article published on a web site will see both claims that the site is always shilling for Apple and the site is a constant attacker of Apple, because, you know, haters gotta hate.

     

    And baiters gotta bait. 

     

    So who's right and who's wrong? Neither and both. Data is data, but how it's interpreted is highly subjective to the many biases that are held by the human interpreter. People who have a dislike for Apple will see articles like the XARA vulnerability as irrefutable confirmation of everything they've held to be true about Apple. People who defend Apple will see it as just another of the continuing attacks on Apple for sins that apply to all purveyors of software and systems and wonder why Apple is being ruthlessly singled out.

     

    This endless war of conflicting biases that has swirled around Apple since its inception has not gone unnoticed by the media. Apple is a mother lode of opportunity and a constant source of self enrichment for the media. The constant combat and oneupmanship between warring factions on either side of the Apple debate is like a gift that keeps on giving for media outlets. It's a story of David vs Goliath with a mad role reversal right in the middle! What could possibly be more compelling for story tellers? Pure gold, or at least 18 kt.

     

    We only help this constant swirl of conflict by keeping it alive and highly energized by feeding it with opinions on sites like AI. Opportunists who seek attention, a few moments of fame, and (cough cough) continued funding for their ability to find chinks in the armor are drawn to Apple like flies to honey. Once the flies are on the honey the media is right there with them to make sure they capture their little piece of the spoils.

     

    Hey, it could be worse. If nobody cared. 

  • Reply 15 of 31
    nolamacguynolamacguy Posts: 4,758member
    konqerror wrote: »
    Apple won't have a large-scale attack because their desktop market share is simply too small. That's all.

    oh my god what nonsense. now I know you truly are a troll. security by obscurity? that's what you're claiming -- that Apple has somehow flown under the radar because malicious hackers had never considered OS X as a target before....besides being produced by the biggest, most successful, most popular, most admired tech firm in the history of the human race, and being home to the best collection of credit card numbers. no sir, no target on their back there... oh, and never mind that previous to OS X there were attacks and viruses created for a much lesser selling platform.

    get real. seriously. go home.
  • Reply 16 of 31
    d4njvrzfd4njvrzf Posts: 797member
    Quote:
    Originally Posted by Mr. Me View Post





    Not this old saw again. The marketshare excuse for security exploits was pulled out of Bill Gates's butt back in the early days of Windows XP. The excuse is ahistoric. At the time exploits to Windows XP nearly brought Microsoft to its knees. Despite the number and seriousness of extant XP exploits, Windows 98 was actually still much more popular. Security vulnerabilities and exploits are driven by design and design flaws, not marketshare.

    Exploitability and marketshare are both factors. Design determines how hard it is to write an exploit. Marketshare gives attackers motivation. Given that the vast majority of businesses run Windows, hackers would have more of an incentive to find exploits for Windows even if it were harder to exploit than OS X.

  • Reply 17 of 31
    cashxxcashxx Posts: 114member
    Quote:

    Originally Posted by konqerror View Post

     

     

    Apple won't have a large-scale attack because their desktop market share is simply too small. That's all.

     

    Now with targeted attacks (APTs), that's already happened.

     

    Remember, every jailbreak is a complete exploitation of the system. How many of those have we had?




    A little small on the PC side of things, but with iOS Apple has a pretty big chunk of the pie and the media would love to report on that news story as well!

  • Reply 18 of 31
    lkrupplkrupp Posts: 10,557member

    AI, please let us know when this exploit goes live in the wild and is affecting real users. So far none of the other Apocalyptic/Armageddon flaws have resulted in anything. And a lot of those flaws require physical access or cooperation from the user. As we all know, once the bad guy has physical possession of your machine you’re screwed no matter what. Haters gonna hate and security researchers gonna toot their horns and thump their chests.

     

    Beyond this there’s the cultural fatalism about security and privacy that people have resigned themselves too. Forget about these operating system flaws. They require some effort. The bad guys can get all the information they want about you by hacking the IRS, SSA, Anthem Blue Cross, Home Depot, and just about any other company with leaky servers and misconfigured security protections. Corporate IT types are massively incompetent even as they comment on forums like this about how many years they’ve been in the business and how smart they are and how they know everything. And then some Russian teenager pwns their server.

  • Reply 19 of 31
    coolfactorcoolfactor Posts: 2,239member

    The timing of Apple's server fix almost proves that media exposure works... a fix just this week, right after XARA was exposed in the media? It's been more than 6 months, so why the sudden magical fix to the server?

  • Reply 20 of 31
    yelapayelapa Posts: 6member
    I am not a developer and don't even play one on TV, but the screenshot of Keychain Access' Root Certificates list at the top of this article doesn't seem to jibe with the actual security issue which, as I understand it, is in the ability to modify Keychain passwords (i.e., not certificates). Don't mean to be a niggler--just sayin.' If I am wrong, I would humbly stand corrected.
Sign In or Register to comment.