Tardy response? Apple’s security reputation takes another hit as researchers reveal long-standing zero-day flaws
Apple has known about major zero-day flaws in its iOS and OS X operating systems for at least eight months, but the flaws are still present.
This is the claim made by six university researchers from Indiana University, Peking University and the Georgia Institute of Technology, who said they informed Apple of the flaws back in October 2014.
The security holes in both iOS and Mac OS X allows a malicious app to steal passwords from Apple’s Keychain, as well as both Apple and third-party apps, with being detected.
A research paper outlining the flaws can be found here.
According to the Register, the researchers not only cracked Apple’s keychain, but they also broke app sandboxes and bypassed Apple App Store security checks. The team were able to upload malware to the Apple app store and passed Apple’s notoriously stringent vetting process, without triggering any alerts.
The team also raided the keychain (the password management system in OS X developed by Apple) to steal a number of passwords, including the native Mail app, iCloud and anything that was stored in Google Chrome.
“The consequences of these attacks are very serious, including leaks of user passwords, secret tokens and all kinds of sensitive documents,” said the researchers in their paper. “Our research shows that fundamentally the problem comes from lack of authentication during app-to-app and app-to-system interactions, and further proposes new techniques to detect and mitigate such a threat.”
The team said they had informed Apple back in October, and the iPad maker had asked the researchers to withhold publishing news of the flaws for six months.
Nine months later and that time has well and truly passed, and the researchers have still not heard back from Apple on the matter.
Even worse, the researchers warn that the flaws are still present in Apple’s current operating systems.
This is not the first time that Apple has been found wanting in fixing security vulnerabilities in a timely manner. In 2012 for example, Apple was criticised by security researchers who claimed it did not react fast enough to kill off a prevalent malware strain, called Flashback.
Apple has enjoyed a good security reputation in the past, but it clear that its operating systems do contain a number of vulnerabilities. Earlier this month for example, researchers warned that cybercriminals could use an iOS vulnerability to hack Apple Pay.
And late last year, it was discovered that Apple products in China that use Mac OS or iOS are under attack by a new family of malware.
Last November Apple had to develop a patch for another serious vulnerability, called “Rootpipe”. That flaw gave hackers admin privileges on a compromised Mac. To make matters worse, the hackers could exploit the flaw to give themselves the highest admin level, known as root access.
What do you know about Internet security? Find out with our quiz!