Serving up some issues for OS X that were catalogued on Dark Reading. There are some serious concerns. I missed the keychain vulnerability which is very worrisome. I know a good many who are using password safes with standard copy and paste UX in their use.
The past several months have been full of bad news for Mac and iOS. Here’s a quick rundown of the highlights:
- Keychain vulnerability: Reported to Apple a year ago, revealed to the public in June, and still not fixed, researchers discovered a vulnerability in Keychain on Mac OS X. Attackers could poison Keychain and steal the data it stores, which included passwords and tokens for a variety of applications, including iCloud and Facebook.
- Gatekeeper vulnerabilities: At the Black Hat Las Vegas conference in August, Synack director of research Patrick Wardle detailed proof-of-concept exploits that circumvent Gatekeeper, Apple’s mechanism for preventing unsigned code from running on Mac. At the Virus Bulletin Prague conference in October, Wardle showed that Apple did not repair the problem with OS X El Capitan, released Sep. 30, and told Forbes that “Gatekeeper is no obstacle at all.”. A researcher snuck unsigned malicious code past Gatekeeper by wrapping it into a signed installer package. Gatekeeper only checks the installer package, not what’s in it — so it’s vulnerable to what is essentially a basic piggybacking attack that any good lesson in social engineering cautions against.
- DYLD_PRINT_TO_FILE vulnerability: Discovered in July, patched in mid-August, this was a bug in an environment variable in Mac OS X Yosemite that enabled root access.
- Tpwn vulnerability: Publicly disclosed in mid-August before it was patched, Tpwn was a memory corruption bug in the kernel of OS X Mavericks through Yosemite, that would allow local privilege escalation and grant attackers root access.
- KeyRaider: In late August, the KeyRaider iOS malware stole 225,000 legitimate Apple accounts and slammed devices with ransomware, data theft, and phony purchases. The malware was secretly wrapped into unauthorized iOS apps, downloaded from a China-based third-party website, and thus it only affected jailbroken iOS devices.
- AirDrop vulnerability: Disclosed in mid-September, a vulnerability in both Mac and ioS — patched in the new iOS 9 — lets attackers bomb any iOS and Mac device within Bluetooth range with malware, via the Airdrop file-sharing feature.
- XCodeGhost: In late September, attackers showed they could hit non-jailbroken iOS devices too. XcodeGhost is a Trojanized version of Apple’s application development software, Xcode. Attackers uploaded it to Chinese cloud storage service Baidu Yunpan — a regional, third-party alternative to the Apple Store where download times are shorter for iOS and Mac developers in China. Innocent app developers then used XcodeGhost to write apps and upload them to the official App Store, never knowing that those apps were malicious. Originally, it was thought that only about 40 apps were infected with XcodeGhost, but that number was later increased to 4,000, including WeChat, ride-hailing app Didi Kuaidi, and music sharing app NetEase Music.
- YiSpecter: In early October, researchers at Palo Alto Networks discovered about 100 apps in the iTunes App Store abusing Apple’s private APIs — used only by Apple itself and not available to app developers — in order to circumvent the Store’s security tools. YiSpecter download, install, and open applications, replace on-board apps with unwanted downloads, and force apps to show advertisements.
- Yanked apps: Last week, Apple pulled some ad-blocking apps from its App Store after discovering that some of those apps installed root certificates that expose all traffic, including encrypted traffic, from the device to the application. Apple is allowing the app developers to resubmit to the store after they make alterations.