[SingCERT] Security Flaws in Apple OS X and iOS

Published on Tuesday, 23 June 2015 16:47

[ Background ]

Six university researchers have revealed four vulnerabilities affecting Apple OS X and iOS. These vulnerabilities could allow attackers to steal passwords and other credentials if successfully exploited.

The vulnerabilities are:

  1. Password stealing vulnerability
    Allows a malicious app to steal the credentials that the user has entered in to the keychain when the user accesses the affected app.
  2. Container cracking
    Allows a malicious app to gain access to the secure container belonging to another app and steal data from it.
  3. IPC interception
    Allows a malicious app to claim the network port used by a legitimate application and intercept data intended for it, such as password or other sensitive information.
  4. Scheme hijacking
    Allows a malicious app to steal access tokens and passwords.

[ Affected Software ]

  • Apple OS X
  • Apple iOS


[ Impact ]

Passwords, authentication tokens and other sensitive and private information could be stolen if one of the vulnerabilities is successfully exploited.


[ Recommendations/Workarounds ]

Currently, no patches are available. Users are advised to adopt the following recommendations to reduce the chances of being exploited.

  • Do not download and install apps from unknown sources
  • Do not open suspicious links


[ References ]
https://drive.google.com/file/d/0BxxXk1d3yyuZOFlsdkNMSGswSGs/view?pli=1
http://www.imore.com/depth-look-ios-os-x-xara-vulnerabilities
http://www.imore.com/xara-exploits-mac-iphone-and-ipad-and-what-you-need-know
http://www.theregister.co.uk/2015/06/17/apple_hosed_boffins_drop_0day_mac_ios_research_