Apple has patched the Trident vulnerabilities in OS X and Safari. The flaws were originally disclosed in iOS and used to spy on a UAE human rights activist.
Apple on Monday rolled out a series of patches for nearly all of its operating systems, including fixes for March’s DROWN vulnerability in OS X and a lockscreen bypass vulnerability in iOS.
Apple deployed patches for nearly all of its products, including Safari, OS X, iOS, Apple TV’s tvOS, and watchOS on Monday.
Last week I received an email from our IT Crowd reminding me (and others) to please update our iPhones to the new iOS version 8.4.1 immediately, for security reasons. Apparently, a zero-day sandbox violation from earlier in the year was finally being fixed by Apple with this update – yet Apple’s notification said only “improvements and fixes to Apple Music.”
Facebook have added the ability for organizations to detect if their OS X system is being exploited by XARA with their framework osquery.
Earlier this month, I was lucky enough to attend Apple’s Worldwide Developers Conference (WWDC) in San Francisco, where mobile developers from far and wide came together to learn about the future of iOS and OS X systems. Along with being the first time I was able to participate in this sought-after conference, it was also my first time visiting San Francisco.
Once you get past its glitz and the glamour, the majority of the event revolves around waiting in a series of queues — the day before the actual event began, the line for the event’s keynote lectures had formed around an entire city block. Although I wasn’t one of the first people to camp out there, I did arrive around 5:30 a.m. on Monday to stake out my spot. While the masses of people at WWDC can be a bit overwhelming, there really isn’t a better place to meet thousands of like-minded developers with whom one can strike up an interesting conversation discussing the ins and outs of of iOS development.
This year, Apple hosted 5,000 developers from 70 different countries, the vast majority of whom were present at WWDC for the first time. The WWDC Scholarship Program awarded 350 scholarships to recipients, the youngest of whom was Kiera Cawley, a 12-year-old app developer who has been coding since the age of nine. Apple CEO Tim Cook made a guest appearance at the conference’s special orientation session, mingling with the recipients and even taking selfies with some of them.
OS X EL CAPITAN — what a name! At first, I thought it had to be another joke from Craig Federighi, but I was wrong. A noteworthy new feature in El Capitan is the split view mode, which allows us to work on two apps simultaneously. Apple claims that there has been a 1.4x time increase in app launch times and 2x improvement in app switching speeds. In general, Apple has been quite busy and has made huge improvements for developers. The most exciting news is that Apple will be making Swift open source later this year — a big step forward for the developer community.
The recent release of iOS 9 makes the entire system smarter and more secure. Now, users can run two apps at once on an iPad, side by side in split view (the same feature present in OS X). This will be challenging for developers who still don’t prefer Auto Layout. For the rest of us, though, it works quite well. It’s also possible to make activities and documents within your app searchable using Spotlight or to include special links on your site that launch your app at a specific view. And yes, it’s still necessary to support iPhone 4s on iOS 9. However, it should be more optimized now more than ever before.
Jennifer Bailey announced release of Apple Pay in the UK next month. This was a bad piece of news for the developer sitting right next to me. He was working as a freelancer for a company that provides mobile payments in the UK via iOS. “My company is screwed and I should start looking for a new job,” he said in response to Bailey’s announcement. Apple Pay’s imminent launch is, unfortunately, not the best update for people whose jobs revolve around mobile payments.
During the rest of the week, Apple featured 100 sessions and labs, and over 1000 Apple engineers were present and ready to give me advice. UI Design Lab was the most popular workshop at the conference, and you could count on the fact that there’d be a huge line every day. After trying to get into the session every morning, I was finally able to make an appointment on Friday. In the end, it was worth the wait.
All in all, WWDC was a great opportunity to meet an impressive collection of talented developers and to discuss the vast amount of progress Apple has been making within the mobile sphere. See you next year, Apple!
Six university researchers discovered high-impact “zero-day” security weaknesses in iOS and Mac, which can be abused by getting a malicious app approved by the Apple app store – something they managed to do without any issues. Through this app they were able to access sensitive data from other apps – with dire consequences. The researchers state that “our sandboxed app successfully retrieved from the system’s keychain the passwords and secret tokens of iCloud, email and all kinds of social networks stored there by the system app Internet Accounts, and bank and Gmail passwords from Google Chrome […]”
It does sound unbelievable, doesn’t it? Just take a look at the below video to see a malicious sandboxes app on OS X steal all private notes in the Evernote app:
Or how about a look at how it is able to steal any websites’ passwords:
According to their research 88.6% of the apps they tested were found to be completely exposed to the XARA attacks. This includes popular apps like Evernote, WeChat, and 1Password: “In our study, we downloaded 1,612 free apps from the MAC App Store. These apps cover all 21 categories of the store, including social networking, finance, business, and others. In each category, we picked up all the free apps when less than 100 of them are there, and top 100 otherwise. Also from the iOS App Store, we collected 200 most popular apps, 40 each from “All Categories”, “Finance”, “Business”, “Social Networking” and “Productivity”, after removing duplications.”
The researcher informed Apple about the issues in October 2014, a fix seems to be still outstanding.
Take a look at the research paper to read all about the issue.
The post XARA – With This Exploit Hackers Can Steal Your Passwords appeared first on Avira Blog.
Whereas Apple develops its iOS with security a part of the process, with OS X development security seems to be more of an afterthought. ‘Bug bounty’ programs are one direction suggested for Apple, but until there is a change in the current approach, the vulnerabilities remain open to any would-be hackers.
At the recent RSA Conference in San Francisco, Wardle gave a presentation titled “Writing [email protected] OS X Malware,” in which he challenges Apple’s OS X developers to change their way of thinking – especially considering that the majority of the malware getting into Macs (now measuring hundreds of thousands) is “amateur, even basic,” according to Wardle.
More advanced Mac attacks, such as the ‘Rootpipe’ backdoor, have been difficult for Apple to patch, and failed ‘fixes’ have been covered by thehackernews.com, computerworld.com, securityweek.com, forbes.com, and others in the first half of 2015.
AV-Test, a leading independent computer security testing firm, recently tested 10 different Mac OS X security software packages (you can read the full report here), writing that:
“The legend that Mac OS X is supposedly invincible is not borne out by the facts. In the aftermath of major attacks by Flashback, the police Trojan Browlock or Shellshock, the number of assaults on Mac OS X continues to increase.”
In AV-Test’s analysis, Avira Free Antivirus for Mac earned a 100% detection score against 160 new Mac-specific viruses and malware. If you’re taking chances with no security on your Mac, do yourself a favor and take care of it right now – FREE DOWNLOAD.