Sidebar Sidebar
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

Apple Responds to 'Masque Attack' Vulnerability, Not Aware of Customers Affected by Attack

proline said:
Nobody has an issue with criticizing Apple's security. However, such criticism needs the acknowledge the reality that the chance of the average user's system being compromised is far less on Apple's platforms than any other major player.
Click to expand...
Why? This is about a security flaw in Apple's system and it should be judged by Apple's standards. Other systems are completely irrelevant to the issue.

----------
snowmoon said:
I see the best "fix" being the inability for an enterprise signed app to overwrite an AppStore installed app. Force the user to delete the app before it can be provisioned through other means. This should pose no problems for legitimate users and still allow the legitimate use-cases for enterprise apps.
Click to expand...
Agreed. Shouldn't be hard to implement either. I would also like them to bring back the separate warning if an app bundle attempts to install an embedded provisioning profile, and to make provisioning profiles visible in the settings again as it was before iOS 8. I see no point in hiding them from the end user.
 
Rigby said:
Why? This is about a security flaw in Apple's system and it should be judged by Apple's standards. Other systems are completely irrelevant to the issue.

----------

Agreed. Shouldn't be hard to implement either. I would also like them to make provisioning profiles visible in the settings again as it was before iOS 8. I see no point in hiding them from the end user.
Click to expand...

I'm of the mind it is more of an exploit not a flaw. There may be circumstances where an enterprise would need to overwrite an installed app that is signed by the Enterprise cert requesting the overwrite, perhaps a customized for the Enterprise version of of Gmail.
 
OldSchoolMacGuy said:
They're allowed but it gives a big warning to not install anything you don't know where it's coming from and tells you very clearly that it may harm your phone or allow malicious things to be installed then you have to give it your passcode and then confirm it again.
Click to expand...
Nope. No password required, and no mention of "malicious things" that may "harm your phone". All you see on iOS 8 is a dialog box saying "<url> would like to install <app>", and then you can tap "cancel" or "Install".
 
Last edited:
Rigby said:
Nope. No password required, and no mention of "malicious things" that may "harm your phone". All you see on iOS 8 is a dialog box saying "<url> would like to install <app>", and then you can tap "cancel" or "Install".
Click to expand...

I think installing the Enterprise Profile follows clicking the install of the program that is where all the malicious code prompts are then the app is installed.
 
WrQth said:
I think installing the Enterprise Profile follows clicking the install of the program that is where all the malicious code prompts are then the app is installed.
Click to expand...
No. I have installed an enterprise app from my employer. There is no mention whatsoever about enterprise profiles or malicious code. When you try to install, all you get is the prompt I mentioned above. Then, when you run the app for the first time, you get a prompt saying "Do you trust the developer <name> to run apps on your phone?". That is all you ever see.
 
Rigby said:
Because Apple always claims that their "closed" system is more secure than those others due to the review process?

Frankly, I don't understand why some people on this forum keep downplaying these security flaws. Perhaps they think they need to "defend" Apple, but that is misguided IMO. The "fappening" made it very obvious that Apple doesn't necessarily act to improve their security policies without public pressure. If that hadn't happended, we'd probably still have the weak iCloud security policy and incomplete 2-factor authentication. Public attention can only help to make the system more secure for everyone by forcing Apple to act.
Click to expand...

No evidence the celebrity photo leak had anything to do with iCloud. It sounds like you're upset about people defending Apple, but you're making things up as well. The truth is nobody knows what is going on.
 
Originally Posted by Rigby Because Apple always claims that their "closed" system is more secure than those others due to the review process?

Frankly, I don't understand why some people on this forum keep downplaying these security flaws. Perhaps they think they need to "defend" Apple, but that is misguided IMO. The "fappening" made it very obvious that Apple doesn't necessarily act to improve their security policies without public pressure. If that hadn't happended, we'd probably still have the weak iCloud security policy and incomplete 2-factor authentication. Public attention can only help to make the system more secure for everyone by forcing Apple to act.
Click to expand...

Sonmi451 said:
No evidence the celebrity photo leak had anything to do with iCloud. It sounds like you're upset about people defending Apple, but you're making things up as well. The truth is nobody knows what is going on.
Click to expand...

Picking iCloud passwords that are easy to guess is NOT and I repeat with more emphasis NOT Apple's fault.

Until we are all issued a hardware token at birth that we can use for second factor authentication, *ANY* system will be liable to be hacked as long as the 'human element' is involved. See: Wall Of Sheep... And historic Wall of Sheep.
 
PinkyMacGodess said:
Picking iCloud passwords that are easy to guess is NOT and I repeat with more emphasis NOT Apple's fault.
Click to expand...
Nothing ever is, right? :p And then there is the real world where security needs to be designed with real people in mind, however technology-illiterate they might be ...

The fact that Apple tightened up the iCloud security policies and finally added 2-factor authentication for icloud.com and iCloud backups after the "fappening" speaks for itself.

----------
superlawyer15 said:
I wonder if this exploit could be used to install things like emulators
Click to expand...
Yes. Enterprise profiles are commonly used to enable installation of unapproved apps like emulators and "free movie" streaming apps.
 
The new Apple:
- iPhone 6 Plus bent? Nah, we have no reports
- Serious security bug? Nah, we have no reports
 
This is like opening the door of your apartment and inviting in a thief.

Then blame the landlord that the locks weren't installed properly.
 
Rigby said:
No. I have installed an enterprise app from my employer. There is no mention whatsoever about enterprise profiles or malicious code. When you try to install, all you get is the prompt I mentioned above. Then, when you run the app for the first time, you get a prompt saying "Do you trust the developer <name> to run apps on your phone?". That is all you ever see.
Click to expand...

Might you have already had your companies Enterprise Profile loaded on your iPhone which is tied to the Enterprise signing of the Enterprise app installed?
 
Cuban Missles said:
Agreed. There are still applications out there that have not wanted to join the Mac App store -- My wife wanted to download Skype and I was surprised to find that it is not on the Mac App store. I use BeaTunes to better manage my iTunes library and again, not available in the App Store. Apple will need to work harder if they really want everything to go through their App store. Otherwise, this IS a problem that needs to be addressed.
Click to expand...

In order to suck customers in, you always have to take "baby steps".

1) Create the Mac App Store, first non-sandboxed.
2) Remove the optical drive. (Call it obsolete)
3) Announce that MAS Apps have to be sandboxed just like iOS.
4) Keep removing optical drives and sealing off hardware access. Now all Apple products, including the "Mac Pro" don't have optical drives and none of them can actually be upgraded.

4) Start producing "fake" security issues that make users not trust non-App Store Apps. They did it with WireLurker, why not software?

5) Make a statement that touts "security" and also includes that wee subtle line "only download apps from the App Store!".


What's next? An App Store only OS X. OS X is now a consumer OS, and Apple won't care if a minority group of users use non-App Store apps. Because let's face it, the majority of "consumers" probably only use the App Store.
 
Question

Does this vulnerability have the potential to affect those with jailbroken devices?

Feel free to "quote" this in your answer so i get notified and can see what people say.
 
SolarShane said:
In order to suck customers in, you always have to take "baby steps".

1) Create the Mac App Store, first non-sandboxed.
2) Remove the optical drive. (Call it obsolete)
3) Announce that MAS Apps have to be sandboxed just like iOS.
4) Keep removing optical drives and sealing off hardware access. Now all Apple products, including the "Mac Pro" don't have optical drives and none of them can actually be upgraded.

4) Start producing "fake" security issues that make users not trust non-App Store Apps. They did it with WireLurker, why not software?

5) Make a statement that touts "security" and also includes that wee subtle line "only download apps from the App Store!".


What's next? An App Store only OS X. OS X is now a consumer OS, and Apple won't care if a minority group of users use non-App Store apps. Because let's face it, the majority of "consumers" probably only use the App Store.
Click to expand...

Did you remember to put on your tin-foil hat before you wrote this? Otherwise they will have read your thoughts and you are now targeted for deletion.
 
iZac said:
I've still not been able to figure out if this is an issue that would only affect jail broken iOS devices? If it is, then it's non-news. If it isn't then it's quite perturbing.
Click to expand...
PunjabiSoorma24 said:
Does this vulnerability have the potential to affect those with jailbroken devices?

Feel free to "quote" this in your answer so i get notified and can see what people say.
Click to expand...
It can affect any device, jailbroken or not. That said it doesn't mean that it's actually affecting any device out there in the real world or that it would affect many, just that the flaw is there and can be exploited.
 
djgamble said:
Yeah uuuum...

This pretty well confirms my suspicions IMO. The 'virus' requires a pirated enterprise certificate. Most people don't know about them but if you work for a biiiig company your company will be able to install their own apps through a website.

Musclenerd always did this but didn't because the company he pirated the certificate from would be faaaaaaarked. Chinese dudes with an old Chinese certificate that belongs to a Chinese company that's either owned by the Chinese government or no longer exists... they don't have those same 'ethics'. They just but an old pirated cert out there (which is why you HAVE to change your date for it to work... or well... maybe don't with some new pirated certs).

Jailbreaking isn't the issue and won't make you more vulnerable. Downloading emulators/pirated apps from websites... don't these people wonder 'WHY DOES THIS WORK?!??!?' In short DON'T download pirated apps/emulators (with a boot load of pirated ROMs) from ANY website.

This isn't a worm or security flaw or ANYTHING!!! They're using an enterprise certificate (which don't come cheap) and are using standard install steps to install trojans. It's like the old Hotline trick when somebody was p!ssing you off and asking you how to hack stuff!!! 'Oh yeah, I know how to hack people... hack your ex girlfriend using this nice little app I just put together!!' BOOO BOOOOOM!!!! 'AAAAARGH YOU TRICKED ME!!! MY COMPUTER NO LONGER BOOTS NOW!!!! B@ST@RD!!!!!!!!'

That's all they're doing. It's not as if some worm is tunneling through iOS/OS X using some major security flaw that Apple needs to (can) patch. The only fix for this 'bug' is to not let idiots install software.
Click to expand...
hlfway2anywhere said:
There was nothing about fixing a security risk because this isn't a flaw, it's how iOS works, and it's safer than literally every other OS out there.

Who is stopping you from installing a spoofed Skype app or hacked version of Angry birds on OS X, Windows, or Android? Apple can't fix stupidity, which is the only security flaw in this situation.



this isn't even true. Microsoft and Adobe are trusted developers, and it is not necessary to change your settings in order to install software from them. Unless you consider entering an administrative username and password to be 'breaking security code'.
Click to expand...

OldSchoolMacGuy said:
Silly media making this a big deal.

This is exactly the same as if you click something online, download an application, and application asks you for your admin password, then the OS tells you explicitly that THIS MAY HARM YOUR COMPUTER, and you still click OK.

It's giving the car keys to a random person and being surprised when they take your car. Silly.

Security researchers agree that this is NOT a big deal and does not pose a security risk. It was shown at a large security conference a year ago and even then researchers agreed it wasn't something to worry about. Now someone else reports it and the media (MacRumors included) grabs hold and blows it up into a big deal that it isn't. :rolleyes:

----------



They're allowed but it gives a big warning to not install anything you don't know where it's coming from and tells you very clearly that it may harm your phone or allow malicious things to be installed then you have to give it your passcode and then confirm it again. If you're that stupid it's really your own fault. It's no different than doing the same on your desktop OS.
Click to expand...

Thunderhawks said:
This is like opening the door of your apartment and inviting in a thief.

Then blame the landlord that the locks weren't installed properly.
Click to expand...

That's not really the part where the flaw is and what can be exploited. It's about one installation being able to overwrite another completely unrelated installation, and not about simply being able to install something from outside the App Store or something like that.

----------
bozzykid said:
Because the apps replace an app that is already on the phone that is signed by a different developer. My guess is Apple is doing their usual "there is nothing to see here", while they are working to fix the issue as quietly as possible.
Click to expand...
This pretty much summarizes it fairly well. A lot of people seem to concentrate and discuss something else entirely and not the actual flaw and potential exploit. And then there are also people who either blow it out of proportion or talk about it being blown out of proportion when neither one of those things is true either.

The reality is that there is a flaw that can be exploited, it's not something that is widespread and doesn't seem like it would become something widespread, but it is a security issue nonetheless and as such should be something that isn't ignored for long. That's really pretty much it.
 
Col4bin said:
Just don't tether your phone to your computer via cord. Go wireless.
Click to expand...

Although it's off topic - how has this post got a down vote..?
Another masque attack..?
 

Attachments

  • screen-capture.png
    screen-capture.png
    48 KB · Views: 116
Last edited:
This bump in the road will only strengthen apple's security and vigilance as they continue breaking into the enterprise market.
 
Nunyabinez said:
Did you remember to put on your tin-foil hat before you wrote this? Otherwise they will have read your thoughts and you are now targeted for deletion.
Click to expand...

Um, you do realize that Apple is slowly closing down OS X, right? If not, then your oblivious to this line in Apple's response: "only download apps from our App Store".
 
You must log in or register to reply here.
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.
Top Bottom
Back