A Trio of Apple Security Flaws
Until very recently, Apple users didn't need to worry about malware, so long as they avoided jailbreaking their devices, and downloaded only from the official Apple App Store. But clever hackers have exploited some loopholes that could act as a conduit for rogue or malicious software to make its way into an iPhone, iPad or a computer running Mac OS X. Here's what you need to know...
Wirelurker, RootPipe and MASQUE-D
Three new security vulnerabilities in Apple operating systems have been revealed in just the first two weeks of November, 2014. One has already been exploited in malware dubbed “Wirelurker,” which targets iOS 7 and 8 mobile devices. Another, “Rootpipe,” targets multiple versions of Mac OS X including the latest, Yosemite, but it has not yet been observed in the wild. The third vulnerability, “MASQUE-D,” is particularly troubling because Apple has been trying to eliminate it since July, apparently without success.
Wirelurker got its name from its trick of leaping from iOS to Mac OS X devices whenever the two are connected via USB cable. Wirelurker popped up in China and seems to have been contained there. It has only been detected in pirated software written for readers of Chinese. About 400 such apps originated from a Chinese Web site. Apple responded swiftly, blocking the infected apps so they won’t run on iOS devices.
The Rootpipe vulnerability enables malware to gain administrator privileges on an infected device, giving the malware full control of the device. The white-hat hacker who discovered Rootpipe, Emil Kvarnhammar, is withholding details of how it works until Apple issues a fix. Curiously, Rootpipe works on Mac OS X v 10.85 but not on 10.9, yet it works again on the latest version 10.10 (Yosemite).
Masque-D alarms security researchers because it is the first discovered vulnerability that allows malware apps that don’t come from official sources to install themselves on iOS devices that have not been “jail-broken.” Effectively, this means users are not safe even if they play by all of Apple’s rules.
Masque-D is dangerous because it can replace a legitimate iOS app already installed on an iPhone or iPad with a rogue version. Once installed, it gains ownership of any data associated with the original app, and can monitor what happens on the mobile device.
Bending the Rules
Normally, an iOS device can install only apps that are downloaded from the Apple App Store. An official exception is made for “enterprise apps” developed in-house by corporations and deployed via their private networks to employees’ devices. Masque-D masquerades as an enterprise app to get around the “jail” of the App Store.
A bit of social engineering is necessary to make Masque-D work. A user must consent to the installation of an enterprise app, so a Masque-D app must con the user into tapping a permission button. Typically this happens through the use of a phishing email that convinces the user to download and install the app.
What’s even more alarming is that Apple does not seem to have a grip on Masque-D. Although the company has been aware of Masque-D since July, according to Kvarnhammar, no fix has appeared. The strange disappearance of the vulnerability in version 10.9 (Mavericks) and its reappearance in version 10.10 (Yosemite) suggests that Apple either isn't paying attention to this problem, or doesn't know how to fix it yet.
The best users can do is avoid untrusted app sources and be very cautious about granting installation permission to any “enterprise app” that appears on their iOS devices. Installing apps via the official App Store is still safe. But if you use your iOS device for work, contact your employer or IT department before installing any app that comes to you via an email or web link.
Trying Too Hard?
All three of these Apple security issues come on the heels of the botched rollout of the iOS 8 operating system for iPhones and iPads. When iOS 8 first became available, some users reported that their phones were rendered inoperable by the update. Other lost access to their iCloud data. The 8.0.1 update was supposed to be the fix, but it was quickly pulled after it was discovered that it blocked some users from making phone calls, and disabled the Touch ID fingerprint sensor on the iPhone 6.
It makes me wonder if Apple is trying to do too much, too fast. If that's true, I hope they'll slow it down, and refocus on software quality and security, which have been hallmarks of the Apple brand for many years.
Your thoughts on this topic are welcome. Post your comment or question below...
This article was posted by Bob Rankin on 21 Nov 2014
|For Fun: Buy Bob a Snickers.|
WOW: Surprising Stats on Phishing
The Top Twenty
Learn the Secrets of Gmail Labs
Post your Comments, Questions or Suggestions
Free Tech Support -- Ask Bob Rankin
Subscribe to AskBobRankin Updates: Free Newsletter
Copyright © 2005
- Bob Rankin - All Rights Reserved
Article information: AskBobRankin -- A Trio of Apple Security Flaws (Posted: 21 Nov 2014)
Copyright © 2005 - Bob Rankin - All Rights Reserved