What You Need to Know About Recent 'XARA' Exploits Against iOS and OS X

[jfreed]

So, using 1password - which I heartily recommend to both Mac (& PC!) users is a risk in and of itself!? Now what? Really, Apple, I'm at a loss! I have a boatload of passwords I'm using in my "vault". Fortunately, I just clean installed El Cap on both my Macs. I guess I just shouldn't install anything? Lol. What to do... thoughts...?

 

[2010mini]

From Reading all the posts in here it seems everyone glossed over the part in the article where they said Apple has been trying to fix it. But has so far been unsuccessful... That's a far cry from most everyone shouting Apple has ignored this issue.

 

[Quu]

So, using 1password - which I heartily recommend to both Mac (& PC!) users is a risk in and of itself!? Now what? Really, Apple, I'm at a loss! I have a boatload of passwords I'm using in my "vault". Fortunately, I just clean installed El Cap on both my Macs. I guess I just shouldn't install anything? Lol. What to do... thoughts...?

This attack would merely allow a program to talk to the 1Password helper app. Essentially, spoofing the browser extension.

This means it will only be able to intercept information you're committing to your password vault or retrieving from your password vault. It will not compromise your entire vault or all of your passwords stored in there.

You would also need to have first installed a malicious application. Your chances of having this vulnerability exploited are microscopic.

 

[AlecZ]

Even worse, something on the App Store could exploit this, right?

 

[AlecZ]

So, using 1password - which I heartily recommend to both Mac (& PC!) users is a risk in and of itself!? Now what? Really, Apple, I'm at a loss! I have a boatload of passwords I'm using in my "vault". Fortunately, I just clean installed El Cap on both my Macs. I guess I just shouldn't install anything? Lol. What to do... thoughts...?

Hmm, looks like my method of using the same password for everything instead of randomly generating them and storing them somewhere is more secure

 

[MH01]

Was such a better time when macs were not popular, expansive and deviants had no interest in exploiting them.

Now given they are very popular , quite cheap to pickup second hand, I can see more and more exploits in the future.

The good days are over

 

[Quu]

Hmm, looks like my method of using the same password for everything instead of randomly generating them and storing them somewhere is more secure

It's much easier to grab what you're typing into a box (especially from a browser extension) than the way that 1Password does it. Like ridiculously easy.

And if you use the same password for everything it only needs one site to be compromised and your Email+Password credentials can be harvested and tried on every other important site on the internet to gain access to your accounts.

 

[AppleMad98004]

So, only download apps from the app store. Problem solved?

Except that the apps exploiting this are in the Apple App store. That is the point. Third party means anyone but Apple. That means 99.999% of the App store apps.

 

[AppleMad98004]

It's much easier to grab what you're typing into a box (especially from a browser extension) than the way that 1Password does it. Like ridiculously easy.

And if you use the same password for everything it only needs one site to be compromised and your Email+Password credentials can be harvested and tried on every other important site on the internet to gain access to your accounts.

I agree, people that use the same passwords for multiple logins are crazy. Break one and they have everything.

 

[AlecZ]

It's much easier to grab what you're typing into a box (especially from a browser extension) than the way that 1Password does it. Like ridiculously easy.

And if you use the same password for everything it only needs one site to be compromised and your Email+Password credentials can be harvested and tried on every other important site on the internet to gain access to your accounts.

Yeah, actually, it's probably less secure overall. But it's more secure in one way, which is that no Keychain vulnerability affects it. Run one malicious app on your Mac once, and all your Keychain passwords are stolen this way. If you type them yourself, they can only steal them if you run a malicious browser extension or something the whole time. I don't know how much more secure it is to store it.

Anyway, I use a strong and stored password for the very few things I actually care about not getting hacked. So I'm definitely not installing anything for a few months.

 

[InfoTime]

Except that the apps exploiting this are in the Apple App store. That is the point. Third party means anyone but Apple. That means 99.999% of the App store apps.

Where is that stated? From what I've read the proof of concept apps were successfully submitted and listed on the Mac App Store and then subsequently removed. Are there reports that this exploit is active in the wild?

 

[perkedel]

Was such a better time when macs were not popular, expansive and deviants had no interest in exploiting them.

Now given they are very popular , quite cheap to pickup second hand, I can see more and more exploits in the future.

The good days are over

Maybe they'll bring back that Mac vs PC ad, this time it's the reverse

 

[MH01]

Maybe they'll bring back that Mac vs PC ad, this time it's the reverse

Ha ha ha. Nah PC guy will turn to the Mac guy and say "not so smug now eh, welcome to my world!"

 

[KALLT]

What would you like them to do? Put an ad in the paper?
That kind of stuff needs to be resolved quietly BECAUSE there is no need to broadcast to the hackers.

Also, the people who keep saying that as a fact Apple has done nothing need to read the line where it says they tried (so far unsuccessfully)
Looks like it's not that easy as a poster saying: Just fix it. Flip a switch and we are done!

Security by obscurity? Hackers are by definition better informed about these sorts of things than regular users. It is foolish to believe that this is not going to be noticed on a larger scale just because Apple is quiet. If you know your way around OS X, you will likely have heard of it by now. By not saying anything, the most vulnerable party is the unsuspecting user who happily install everything from the App Store.

Apple needs to recognise that they are dealing with sensitive personal data and that their users rely on their promise to deliver a secure system. Look at LastPass and AgileBits for instance. Their products greatly depend on their reputation as companies that take security serious. Both have had to endure pretty significant security problems the last few days, but they are being transparent about it and openly admit when something went wrong. Apple should deliver a press release, outline what they think is the problem, how they will fix it and what users can do to minimise the risk.

 

[Dark Void]

*Goes to Walmart and buys all of their tinfoil*

THEY'LL NEVER GET ME.

 

[dannys1]

So, using 1password - which I heartily recommend to both Mac (& PC!) users is a risk in and of itself!? Now what? Really, Apple, I'm at a loss! I have a boatload of passwords I'm using in my "vault". Fortunately, I just clean installed El Cap on both my Macs. I guess I just shouldn't install anything? Lol. What to do... thoughts...?

Any reason why you're installing beta 1 of an OS X that isn't out until at least September? Are you a dev? If so do you need to be running it on both systems?

Id be more concerned about running very preliminary beta software as my daily driver OS than this vulnerability on my security.

 

[dannys1]

Yeah, actually, it's probably less secure overall. But it's more secure in one way, which is that no Keychain vulnerability affects it. Run one malicious app on your Mac once, and all your Keychain passwords are stolen this way. If you type them yourself, they can only steal them if you run a malicious browser extension or something the whole time. I don't know how much more secure it is to store it.

Anyway, I use a strong and stored password for the very few things I actually care about not getting hacked. So I'm definitely not installing anything for a few months.

Well this made no sense.

 

[Dark Void]

I've read what I could, and may I ask, how does this affect those that don't use applications or extensions such as 1Password? I don't have my browser set to remember any of my passwords, and I just simply remember all of them myself. I realize something must be installed in the first place, but how would it affect someone with my habits?

 

[DonutHands]

XARA is an exploit discovered by a university. XARA is not an application. There may be no applications in existence that use this same exploit at this time. Be safe, only install known good software.

 

[doboy]

I've read what I could, and may I ask, how does this affect those that don't use applications

If you don't use applications then you wouldn't be downloading any malicious applications in the first place so you're safe

 

[oliversl]

Well, I need to know which version, exactly which version, of OSX and iOS are affected.

 

[Dark Void]

If you don't use applications then you wouldn't be downloading any malicious applications in the first place so you're safe

Hahaha, I see what you did there. ⇁.⇁

 

[skinned66]

Well, I need to know which version, exactly which version, of OSX and iOS are affected.

It's not a matter of versions. There are four different exploits. Versions in of themselves do not appear to matter. For all intents and purposes, OS X is vulnerable to all four and iOS two at most, though the implications last I read were not well understood for iOS relating to the web sockets vulnerability.

1. The web sockets vulnerability affects OS X and anything that can use them, potentially including iOS.
2. iOS doesn't have ACLs for keychain entries, so apps access to a keychain are dependent on an app's bundle ID and impersonation doesn't fly there. OS X on the other hand IS vulnerable to the malicious keychain switcheroo.
3. The URL scheme hijacking is the only vulnerability confirmed for iOS, and it affects OS X as well.
4. App sandbox transversal vulnerability affects OS X only.

Hope this helps you out a bit.

 

[Popeye206]

"Avoiding malicious apps can be done by downloading software only from trusted developers and avoiding anything that seems suspicious."

Isn't the point and advantage of the Mac App Store supposed to be that the developer's are vetted and trusted as are the apps? How exactly do we know who trusted developers are? Does Apple plan on having a blue checkmark system?

As an Apple fanboy, this should be their number one priority. Security is one of the top features of Apple products over the competition.

They do. It's called a Certificate. You have to be a developer to get one. Any App that just installs without warnings probably has a Certificate embedded.

 

[ColdShadow]

I think what troubles me more is the complete silence on Apple's part. This has the potential to be a very serious issue and yet you hear nothing about it from your manufacturer. There is a point where Apple really starts to piss me off with this behaviour. You can see that even the developers of AgileBits are pretty much helpless and can't do anything to fix the problem, while their customers expect a secure product. I wonder how other developers of security software look at this.

They are busy organising the next Apple watch fashion exhibition.