What You Need to Know About Recent 'XARA' Exploits Against iOS and OS X

[Thunderhawks]

Well, the "bad guys" put an ad in the paper, and so far, I haven't heard a peep from Apple as to what they are doing. Not cool.

You won't hear anything from Apple.
As others posted why broadcast and alert other hackers to try this?

Let's even say they put ads and put it on TV what are we individually going to do then?
No longer use our phones and computers?

Same when the government declares code RED or other useless information.

 

[Benjamin Frost]

My question is: If a malicious app has already been downloaded, and the app is not running, is my system at risk?

You're probably okay, as long as background tasks aren't running. I would turn off all notifications and background processes relating to these apps.

 

[iapplelove]

Lol we will never be safe again.

 

[iFitzgerald]

After saying that Privacy and Security are their strong point at WWDC, this coming along is a slap to the face :x

 

[lugesm]

So . . . if I don't already have a problem, AND I don't download any new applications, I am safe ? ? ?

I second (or is it 15th?) the comment that Apple has been irresponsible in issuing NO comments about this vulnerability and actions being taken, if any.

 

[skinned66]

For those concerned about 1Password, I recommend you read Jeff Goldberg's post in Agile Blog as well as the community discussion below it where he responds to specific concerns and questions; you might get a question answered.

If you have a cursory understanding of the methods used in the hacks, one can mitigate the risks pretty effectively. The above link provides steps you can take specifically for 1Password.

Speaking from a purely personal perspective I am not concerned about being compromised, even though my install of Yosemite and iOS are the same as everyone else's, with the exception of my jailbroken iPad. I have 1Password on all of my iOS devices and Macs.

 

[skinned66]

After saying that Privacy and Security are their strong point at WWDC, this coming along is a slap to the face :x

I expect they're going to have to do something about it. have had a 6 month lead on these vulnerabilities.

 

[MyNameIsJon]

And another comment that's totally pointless.

And another comment that's totally pointless.

 

[Dark Void]

How does this affect someone that doesn't use 1Password or have their browser remember their logins? Does it function as a normal keylogger?

 

[I7guy]

So . . . if I don't already have a problem, AND I don't download any new applications, I am safe ? ? ?

I second (or is it 15th?) the comment that Apple has been irresponsible in issuing NO comments about this vulnerability and actions being taken, if any.

The larger companies never comment on vulnerabilities until patched...for obvious reasons.

 

[lugesm]

The larger companies never comment on vulnerabilities until patched...for obvious reasons.

This has the potential for shutting down the App Store until the problem is resolved.

 

[I7guy]

This has the potential for shutting down the App Store until the problem is resolved.

But Apple still won't comment on it. It's an invitation for ne'er do wells to make the evil most of a situation.

 

[lugesm]

But Apple still won't comment on it. It's an invitation for ne'er do wells to make the evil most of a situation.

What does Apple gain by silence? The cat is out of the bag. It is all over the Internet, for Pete's sake. A comment suggesting that Apple has it under control would actually DISCOURAGE hackers.

 

[vmistery]

I think what troubles me more is the complete silence on Apple's part. This has the potential to be a very serious issue and yet you hear nothing about it from your manufacturer. There is a point where Apple really starts to piss me off with this behaviour. You can see that even the developers of AgileBits are pretty much helpless and can't do anything to fix the problem, while their customers expect a secure product. I wonder how other developers of security software look at this.

At least it will get fixed that's how I see it. How many Android devices are out there with know vulnerabilities because they are not ever patched?

 

[Thunderhawks]

What does Apple gain by silence? The cat is out of the bag. It is all over the Internet, for Pete's sake. A comment suggesting that Apple has it under control would actually DISCOURAGE hackers.

Hackers are not discouraged by anything. They'll try the old hack and then see if they can do variations off that hack, just like people try old passwords pirating.

All over the internet means nothing.
Consumers will still click on everything to make it go away.

Apple announcement:
Don't use our products and not anybody elses either.
It's not safe to use computers, smartphones or the internet.
We recommend back to handwriting in code and never share anything with anybody!
Please do not use pigeons they may be shot down.
Telephones can be spied upon, even rotary.
Check your house for planted microphones and other listening devices. Don't tell you doctor anything. The information will be hacked and used against you by the insurance companies.

Shoot yourselves now! Think Differently!

Problem solved?Geez!

 

[Roadstar]

How can you say you've never had this problem with Windows? You've must be joking, with Windows your information can be taken even without downloading an app just connect it to the internet.

You might want to update your knowledge on Windows. What you're saying applies to Windows XP pre SP2 and older, and after the new security model introduced in Windows Vista (that was in 9 years ago in 2006) Windows has been quite decent when it comes to security.

 

[I7guy]

What does Apple gain by silence? The cat is out of the bag. It is all over the Internet, for Pete's sake. A comment suggesting that Apple has it under control would actually DISCOURAGE hackers.

A comment like that from Apple would actually have the opposite affect. The hackers would try and "get one in" before the fix.

 

[newellj]

Way too extreme. It's as simple as just disconnecting from the internet - no worries!

Hackers are not discouraged by anything. They'll try the old hack and then see if they can do variations off that hack, just like people try old passwords pirating.

All over the internet means nothing.
Consumers will still click on everything to make it go away.

Apple announcement:
Don't use our products and not anybody elses either.
It's not safe to use computers, smartphones or the internet.
We recommend back to handwriting in code and never share anything with anybody!
Please do not use pigeons they may be shot down.
Telephones can be spied upon, even rotary.
Check your house for planted microphones and other listening devices. Don't tell you doctor anything. The information will be hacked and used against you by the insurance companies.

Shoot yourselves now! Think Differently!

Problem solved?Geez!

 

[moderately]

I think the problem is software has become an after thought for pretty products. This is the first year they are actually fixing the os post Steve. Instead of coming out with a new one every year. Im pissed right now. I bought this macbook pro for my personal use because all I heard is how secure it is. Now to think of it in my 14 yrs using windows , I never had this problem. I feel like a chump.

You never had this problem with a macbook either. These exploits have not been found in the wild.

 

[2010mini]

I don't think people are glossing over that fact. It's the silence that has people bugged - or at least what has me bugged.

Apple said they asked the researchers to hold off on reporting for 6 months. Why would they themselves announce it during that time?

In any case Apple actually did patches on their side (servers) to combat this.

 

[I7guy]

Apple said they asked the researchers to hold off on reporting for 6 months. Why would they themselves announce it during that time?

In any case Apple actually did patches on their side (servers) to combat this.

Nobody outside of apple knows what apple did or didn't do. People are assuming they sat on their hands, which may or may not be the case as it is. But what apple did or didn't do is all speculation.

 

[DCIFRTHS]

Apple said they asked the researchers to hold off on reporting for 6 months. Why would they themselves announce it during that time?

In any case Apple actually did patches on their side (servers) to combat this.

I didn't mean that Apple should have announced it during the six month "grace period". After the researchers publicly disclosed it is when Apple should have commented (and it looks like they have done so).

 

[DCIFRTHS]

Nobody outside of apple knows what apple did or didn't do. People are assuming they sat on their hands, which may or may not be the case as it is. But what apple did or didn't do is all speculation.

Apple did issue a statement. While rather vague toward the end, maybe we do have the beginning of a more transparent Apple (with regard to security issues).

 

[I7guy]

Apple did issue a statement. While rather vague toward the end, maybe we do have the beginning of a more transparent Apple (with regard to security issues).

Transparent only in a general sense. Rightfully so they didn't comment on specifics, which is what I was getting before. They don't want to give ammo to the bad guys.

 

[dalbright]

I don't think this is in the wild. The original article said that the finders wrote exploit apps and put them on the App Store. Apple did not flag them as malware at the time.
If Apple could find the "fingerprint" of the exploit in the app, then they can drop them from the store in a short space of time.
Apples gatekeeping is all good and well, but using your own judgement is important too - from some of the comments here it sounds like people have given up on checking things out themselves.

This happened to me and I lost massive amounts of data off iCloud drive. The computer was brand new and the only apps I downloaded were Wunderlist, Gemini, Superduper, and Adobe Creative Suite. Those are all highly regarded apps.