(Long article; parts have been removed.) Six university researchers have revealed deadly zero-day flaws in Apple's iOS and OS X, claiming it is possible to crack Apple's keychain, break app sandboxes and bypass its App Store security checks so that attackers can steal passwords from any installed app including the native email client without being detected.
The team was able to upload malware to the Apple app store, passing the vetting process without triggering alerts that could raid the keychain to steal passwords for services including iCloud and the Mail app, and all those store within Google Chrome...snip Apple was not immediately available for comment....snip "Recently we discovered a set of surprising security vulnerabilities in Apple's Mac OS and iOS that allows a malicious app to gain unauthorised access to other apps' sensitive data such as passwords and tokens for iCloud, Mail app and all web passwords stored by Google Chrome," Xing told The Register's security desk. "Our malicious apps successfully went through Apple’s vetting process and was published on Apple’s Mac app store and iOS app store. "We completely cracked the keychain service - used to store passwords and other credentials for different Apple apps - and sandbox containers on OS X, and also identified new weaknesses within the inter-app communication mechanisms on OS X and iOS which can be used to steal confidential data from Evernote, Facebook and other high-profile apps." The team was able to raid banking credentials from Google Chrome on the latest Mac OS X 10.10.3, using a sandboxed app to steal the system's keychain and secret iCloud tokens, and passwords from password vaults. Photos were stolen from WeChat and the token for popular cloud service Evernote nabbed allowing it to be fully compromised. "The consequences are dire," the team wrote in the paper. Some 88.6 percent of 1612 Mac and 200 iOS apps were found "completely exposed" to unauthorised cross-app resource access (XARA) attacks allowing malicious apps to steal otherwise secure data...snip "Our study brings to light a series of unexpected, security-critical aws that can be exploited to circumvent Apple's isolation protection and its App Store's security vetting. The consequences of such attacks are devastating, leading to complete disclosure of the most sensitive user information (e.g., passwords) to a malicious app even when it is sandboxed. http://www.theregister.co.uk/2015/06/17/apple_hosed_boffins_drop_0day_mac_ios_research_blitzkrieg/ ------------------------------- Dimitri wrote: > If it's anything like their computers, it'll be obsolete in three years. > Imagine, them telling you that your operating system is too old, car's > computer is too old to handle upgrade. Buy new car. > Thanks but I'll stick to my manual everything dinosaur mobiles. > > Sent from my iPhone > > > On Jun 17, 2015, at 2:05 PM, Andrew Strasfogel via Mercedes > > <firstname.lastname@example.org> wrote: > > > > Apple could dominate market -- analystPublished: Wednesday, June 17, 2015 > > > > Apple Inc.'s reach could soon include electric automobiles, according to an > > industry analyst. > > > > "If the world's most valuable company were to design and engineer a car, we > > are convinced it would be 100 percent a battery electric propulsion > > system," wrote Morgan Stanley analyst Adam Jonas to investors yesterday. > > > > The company has reportedly already created a team to work on designing an > > Apple-branded car, though it has not made any comments on the topic. A > > lawsuit from electric-car battery maker A123 Systems this year accused > > Apple of poaching its employees. > > > > Apple can certainly dump resources into the project; the technology company > > pulls in about $15 billion in profit every business quarter, which is equal > > to four months of the research and development of all the world's > > automakers combined, Jonas said. > > > > The company could help pioneer self-driving cars, which some see as the > > future of transportation in America. > > > > "A fully autonomous car is meant to be shared, not owned," Jonas said. "A > > fully autonomous car -- as in no steering wheel, no pedals -- can work 24 > > hours a day" (Jerry Hirsch, *Los Angeles Times* > > <http://www.latimes.com/business/autos/la-fi-hy-apple-electric-car-20150616-story.html>, > > June 16). *-- BTP* > > _______________________________________ > > http://www.okiebenz.com > > > > To search list archives http://www.okiebenz.com/archive/ > > > > To Unsubscribe or change delivery options go to: > > http://mail.okiebenz.com/mailman/listinfo/mercedes_okiebenz.com > > > > _______________________________________ > http://www.okiebenz.com > > To search list archives http://www.okiebenz.com/archive/ > > To Unsubscribe or change delivery options go to: > http://mail.okiebenz.com/mailman/listinfo/mercedes_okiebenz.com > > > > ----- > No virus found in this message. > Checked by AVG - www.avg.com > Version: 2015.0.5961 / Virus Database: 4365/10039 - Release Date: 06/17/15 > -- arche...@embarqmail.com <arche...@embarqmail.com> _______________________________________ http://www.okiebenz.com To search list archives http://www.okiebenz.com/archive/ To Unsubscribe or change delivery options go to: http://mail.okiebenz.com/mailman/listinfo/mercedes_okiebenz.com