(Long article; parts have been removed.)

Six university researchers have revealed deadly zero-day flaws in Apple's iOS 
and OS X, claiming it is possible to crack Apple's keychain, break app 
sandboxes and bypass its App Store security checks so that attackers can steal 
passwords from any installed app including the native email client without 
being detected.

The team was able to upload malware to the Apple app store, passing the vetting 
process without triggering alerts that could raid the keychain to steal 
passwords for services including iCloud and the Mail app, and all those store 
within Google Chrome...snip

Apple was not immediately available for comment....snip

"Recently we discovered a set of surprising security vulnerabilities in Apple's 
Mac OS and iOS that allows a malicious app to gain unauthorised access to other 
apps' sensitive data such as passwords and tokens for iCloud, Mail app and all 
web passwords stored by Google Chrome," Xing told The Register's security desk.

"Our malicious apps successfully went through Apple’s vetting process and was 
published on Apple’s Mac app store and iOS app store.

"We completely cracked the keychain service - used to store passwords and other 
credentials for different Apple apps - and sandbox containers on OS X, and also 
identified new weaknesses within the inter-app communication mechanisms on OS X 
and iOS which can be used to steal confidential data from Evernote, Facebook 
and other high-profile apps."

The team was able to raid banking credentials from Google Chrome on the latest 
Mac OS X 10.10.3, using a sandboxed app to steal the system's keychain and 
secret iCloud tokens, and passwords from password vaults.

Photos were stolen from WeChat and the token for popular cloud service Evernote 
nabbed allowing it to be fully compromised.

"The consequences are dire," the team wrote in the paper.

Some 88.6 percent of 1612 Mac and 200 iOS apps were found "completely exposed" 
to unauthorised cross-app resource access (XARA) attacks allowing malicious 
apps to steal otherwise secure data...snip

    "Our study brings to light a series of unexpected, security-critical aws 
that can be exploited to circumvent Apple's isolation protection and its App 
Store's security vetting. The consequences of such attacks are devastating, 
leading to complete disclosure of the most sensitive user information (e.g., 
passwords) to a malicious app even when it is sandboxed.

http://www.theregister.co.uk/2015/06/17/apple_hosed_boffins_drop_0day_mac_ios_research_blitzkrieg/

-------------------------------
Dimitri wrote:
> If it's anything like their computers, it'll be obsolete in three years. 
> Imagine, them telling you that your operating system is too old, car's 
> computer is too old to handle upgrade. Buy new car.
> Thanks but I'll stick to my manual everything dinosaur mobiles.
> 
> Sent from my iPhone
> 
> > On Jun 17, 2015, at 2:05 PM, Andrew Strasfogel via Mercedes 
> > <mercedes@okiebenz.com> wrote:
> > 
> > Apple could dominate market -- analystPublished: Wednesday, June 17, 2015
> > 
> > Apple Inc.'s reach could soon include electric automobiles, according to an
> > industry analyst.
> > 
> > "If the world's most valuable company were to design and engineer a car, we
> > are convinced it would be 100 percent a battery electric propulsion
> > system," wrote Morgan Stanley analyst Adam Jonas to investors yesterday.
> > 
> > The company has reportedly already created a team to work on designing an
> > Apple-branded car, though it has not made any comments on the topic. A
> > lawsuit from electric-car battery maker A123 Systems this year accused
> > Apple of poaching its employees.
> > 
> > Apple can certainly dump resources into the project; the technology company
> > pulls in about $15 billion in profit every business quarter, which is equal
> > to four months of the research and development of all the world's
> > automakers combined, Jonas said.
> > 
> > The company could help pioneer self-driving cars, which some see as the
> > future of transportation in America.
> > 
> > "A fully autonomous car is meant to be shared, not owned," Jonas said. "A
> > fully autonomous car -- as in no steering wheel, no pedals -- can work 24
> > hours a day" (Jerry Hirsch, *Los Angeles Times*
> > <http://www.latimes.com/business/autos/la-fi-hy-apple-electric-car-20150616-story.html>,
> > June 16). *-- BTP*
> > _______________________________________
> > http://www.okiebenz.com
> > 
> > To search list archives http://www.okiebenz.com/archive/
> > 
> > To Unsubscribe or change delivery options go to:
> > http://mail.okiebenz.com/mailman/listinfo/mercedes_okiebenz.com
> > 
> 
> _______________________________________
> http://www.okiebenz.com
> 
> To search list archives http://www.okiebenz.com/archive/
> 
> To Unsubscribe or change delivery options go to:
> http://mail.okiebenz.com/mailman/listinfo/mercedes_okiebenz.com
> 
> 
> 
> -----
> No virus found in this message.
> Checked by AVG - www.avg.com
> Version: 2015.0.5961 / Virus Database: 4365/10039 - Release Date: 06/17/15
> 


-- 
arche...@embarqmail.com <arche...@embarqmail.com>

_______________________________________
http://www.okiebenz.com

To search list archives http://www.okiebenz.com/archive/

To Unsubscribe or change delivery options go to:
http://mail.okiebenz.com/mailman/listinfo/mercedes_okiebenz.com

Reply via email to