A Trio of Apple Security Flaws
Until very recently, Apple users didn't need to worry about malware, so long as they avoided jailbreaking their devices, and downloaded only from the official Apple App Store. But clever hackers have exploited some loopholes that could act as a conduit for rogue or malicious software to make its way into an iPhone, iPad or a computer running Mac OS X. Here's what you need to know... |
Wirelurker, RootPipe and MASQUE-D
Three new security vulnerabilities in Apple operating systems have been revealed in just the first two weeks of November, 2014. One has already been exploited in malware dubbed “Wirelurker,” which targets iOS 7 and 8 mobile devices. Another, “Rootpipe,” targets multiple versions of Mac OS X including the latest, Yosemite, but it has not yet been observed in the wild. The third vulnerability, “MASQUE-D,” is particularly troubling because Apple has been trying to eliminate it since July, apparently without success.
Wirelurker got its name from its trick of leaping from iOS to Mac OS X devices whenever the two are connected via USB cable. Wirelurker popped up in China and seems to have been contained there. It has only been detected in pirated software written for readers of Chinese. About 400 such apps originated from a Chinese Web site. Apple responded swiftly, blocking the infected apps so they won’t run on iOS devices.
The Rootpipe vulnerability enables malware to gain administrator privileges on an infected device, giving the malware full control of the device. The white-hat hacker who discovered Rootpipe, Emil Kvarnhammar, is withholding details of how it works until Apple issues a fix. Curiously, Rootpipe works on Mac OS X v 10.85 but not on 10.9, yet it works again on the latest version 10.10 (Yosemite).
Masque-D alarms security researchers because it is the first discovered vulnerability that allows malware apps that don’t come from official sources to install themselves on iOS devices that have not been “jail-broken.” Effectively, this means users are not safe even if they play by all of Apple’s rules.
Masque-D is dangerous because it can replace a legitimate iOS app already installed on an iPhone or iPad with a rogue version. Once installed, it gains ownership of any data associated with the original app, and can monitor what happens on the mobile device.
Bending the Rules
Normally, an iOS device can install only apps that are downloaded from the Apple App Store. An official exception is made for “enterprise apps” developed in-house by corporations and deployed via their private networks to employees’ devices. Masque-D masquerades as an enterprise app to get around the “jail” of the App Store.
A bit of social engineering is necessary to make Masque-D work. A user must consent to the installation of an enterprise app, so a Masque-D app must con the user into tapping a permission button. Typically this happens through the use of a phishing email that convinces the user to download and install the app.
What’s even more alarming is that Apple does not seem to have a grip on Masque-D. Although the company has been aware of Masque-D since July, according to Kvarnhammar, no fix has appeared. The strange disappearance of the vulnerability in version 10.9 (Mavericks) and its reappearance in version 10.10 (Yosemite) suggests that Apple either isn't paying attention to this problem, or doesn't know how to fix it yet.
The best users can do is avoid untrusted app sources and be very cautious about granting installation permission to any “enterprise app” that appears on their iOS devices. Installing apps via the official App Store is still safe. But if you use your iOS device for work, contact your employer or IT department before installing any app that comes to you via an email or web link.
Trying Too Hard?
All three of these Apple security issues come on the heels of the botched rollout of the iOS 8 operating system for iPhones and iPads. When iOS 8 first became available, some users reported that their phones were rendered inoperable by the update. Other lost access to their iCloud data. The 8.0.1 update was supposed to be the fix, but it was quickly pulled after it was discovered that it blocked some users from making phone calls, and disabled the Touch ID fingerprint sensor on the iPhone 6.
It makes me wonder if Apple is trying to do too much, too fast. If that's true, I hope they'll slow it down, and refocus on software quality and security, which have been hallmarks of the Apple brand for many years.
Your thoughts on this topic are welcome. Post your comment or question below...
|
|
|
This article was posted by Bob Rankin on 21 Nov 2014
| For Fun: Buy Bob a Snickers. |
 |
Prev Article: WOW: Surprising Stats on Phishing |
The Top Twenty |
Next Article: Learn the Secrets of Gmail Labs |
 |
Post your Comments, Questions or Suggestions
|
Free Tech Support -- Ask Bob Rankin Subscribe to AskBobRankin Updates: Free Newsletter Copyright © 2005 - Bob Rankin - All Rights Reserved About Us Privacy Policy RSS/XML |
Article information: AskBobRankin -- A Trio of Apple Security Flaws (Posted: 21 Nov 2014)
Source: https://askbobrankin.com/a_trio_of_apple_security_flaws.html
Copyright © 2005 - Bob Rankin - All Rights Reserved
Most recent comments on "A Trio of Apple Security Flaws"
Posted by:
The 146%
21 Nov 2014
This is proof that with enough time and patience, ANY vulnerability in ANY operating system can be exploited by the right person. And there are even more problems with this than would initially become obvious. There are many manufacturers that no longer support or update products that they know are still in use. Who would be liable for damages if those known exploits are not patched and if that particular manufacturer knows that the vulnerability still exists in that particular product? I ask this because I have a device that is no longer supported, though I still use it. The recent Shellshock/Bashbug that has since been patched on most systems has not been patched on my device because of this issue of manufacturer non-support.
Posted by:
Lynn
21 Nov 2014
"...I hope they'll slow it down, and refocus on software quality and security, which have been hallmarks of the Apple brand for many years." I agree completely with this opinion. The security of Apple software is the very reason I am an Apple user for all my devices. The extra cost associated with buying an Apple product is worth the peace of mind I have always found.
Posted by:
Jake
21 Nov 2014
My fear is that Apple is too focused on shareholders and not enough on customers. To meet shareholder expectations they have to keep generating improved hardware to increase revenue. Software somehow is being left behind because it takes a lot of time to get it right, more time that is does the hardware.
Posted by:
Jeremy
21 Nov 2014
Thinking on failed iOS, don't forget iOS 7. For schools, it broke supervision, meaning IT directors had to recollect all the devices, wipe them, and re-manage them. Apple ignored this even though it was a fundamental oversight. They over promised Over The Air Enrollment for enterprise users. Not delivered. Tokens for App failures. It was horrible.
Posted by:
Kirill
21 Nov 2014
"Every perfectly working program has at least three errors" (c) Programmer's wisdom.
This is why apple people are so funny, when they claim that everything from Apple is perfect. Had around a year iPhone - never again anything from Apple, thanks.
Posted by:
MmeMoxie
21 Nov 2014
To Apple Users --- Welcome to the real world of computing. Those of us, who do not use or like Apple products, have been saying for years ... Security will be breached, at sometime in the future. The future has arrived.
Please, believe me ... I am greatly saddened, by this news. I am not an Apple user and honestly, do not plan on being one ... However, I am still saddened. For me, this means the Hackers/Crackers of this world, are gaining and getting so much smarter, which means, Windows and Android users, better watch out!!!
Security, security, security is the answer. I pray that the Apple Store will have Anti-Virus programs, Malware programs, Rootkit programs and all of the Security programs available, for the Apple Users. There has been way too many years, of Apple Users bragging about the "security" of Apple Products and looking down, at Windows and Android Users. Reality has finally, hit Apple in the eye.
For Android Users ... PLEASE, protect your Smartphones, by using GOOD Anti-Virus apps, Malware apps and GOOD Security apps!!! It comes down to this ... IF ... You want a usable Smartphone ... Security is a MUST!!! Remember, many of the best Security apps are FREE!!! I happen to pay for my Anti-Virus app (Avast!), but, for my Malware app (Malwarebytes), I use the FREE version.
Remember ... What goes around ... Comes around ... To bite you. Karma's like that, ya know.
Posted by:
Dan
21 Nov 2014
Good lord. Will we ever go one week without reading about more security problems with these "clever" products!:-) Should manufacturers and programmers spend more time on this part of their development process or should they continue pumping out unfinished products before their competitors?
Posted by:
DaraQW
21 Nov 2014
Count me among the faithful who hope Apple will not sacrifice itself on the altar of profitability by racing to produce "new and improved" devices and operating systems at the expense of quality and stable performance. I would much rather spend 30% more money less frequently for the privilege of enjoying the best and most elegant user-friendly devices in the world.
Posted by:
Richard Dengrove
22 Nov 2014
An MIT kid told me in 1972 that no software can be made hackerproof. This is just one more sign. For me, so far knock on wood.
Posted by:
Heidi
22 Nov 2014
Thanks for the info. I often wonder and have questions about the security of apple products. Everyone says they are hack proof but I guess theres no such thing.
Posted by:
Arthur
27 Nov 2014
This is a symptom of the perpetual drive for software and hardware "improvements" to encourage sales of new devices and keep the investors happy. How about EVERYONE slow-down and make-right/fit for purpose what we have available now, instead of continually raping the planet for more resources in our already too-disposable society.