Fallas de seguridad en iOS y OS X

Se incorporó
4 Marzo 2005
Mensajes
7.830
No soy usuario de Apple, pero me encontré con esta noticia que tal vez les interese, ya que trata de problemas de seguridad.

No sabía si publicarla en "equipos IOS", "OS X" o "Apple iOS" y me decidí por esta última.



Se trata de unas fallas de seguridad que permitiría a intrusos obtener passwords de cualquier app instalada o nativa, incluso sin ser detectados. La falla la descubrió un equipo de la Universidad de Indiana/Instituto de Tecnología de Georgia y la habrían informado a Apple hace 6 meses, sin que se haya corregido hasta el momento.


Parte de la noticia:

Researchers have revealed critical zero-day security holes in both the Apple’s iOS and OS X operating systems. These Apple zero-day flaws, according to six researchers, allow a malicious app to steal passwords from Apple’s Keychain, bypass App Store security to enable attackers steal passwords from any installed app including Apple’s native apps – without even being detected.

Apple zero-day flaws – Why is Apple silent?

Indiana University and Georgia Institute of Technology had discovered these critical Apple zero-day flaws some months back in October last year and after waiting for over 6 months for Cupertino’s tech giant to patch things up, research team has published the details of the research. According to the research team, Apple said that it understood the critical nature of flaws and also requested an advance copy of the research back in February. However, it claims that the Apple zero-day flaws in iOS and OS X are still present in the very latest versions of the Apple platforms.
“Recently we discovered a set of surprising security vulnerabilities in Apple’s Mac OS and iOS that allows a malicious app to gain unauthorised access to other apps’ sensitive data such as passwords and tokens for iCloud, Mail app and all web passwords stored by Google Chrome.
Our malicious apps successfully went through Apple’s vetting process and was published on Apple’s Mac app store and iOS app store.â€
The team was able to,

  • crack the keychain service that is used to store passwords and other sensitive credentials for Apple apps
  • sandbox containers on OS X
  • discover weaknesses within the inter-app communication mechanism on iOS and OS X
  • used those weaknesses to steal confidential data
They managed to steal this data from a variety of apps including Facebook, Evernote, photos from WeChat, and other such “high-profile†apps. This research team was also able to get banking credentials from Google Chrome on the very latest OS X 10.10.3 using a sandboxed app to steal keychain and iCloud tokens.

Fuente con la noticia completa:
http://wccftech.com/apple-zero-day-flaws-in-ios-and-os-x/
 

Rudel

Overclockero retirado.
Se incorporó
28 Octubre 2004
Mensajes
8.727
Me parece increíble que Apple se tome tan a la ligera las vulnerabilidades que terceros descubren en sus Sistemas operativos ... buscando mas antecedentes, me parece que este es en realidad el origen de la noticia, en la cual se basa la web que tu encontraste:

http://www.theregister.co.uk/2015/06/17/apple_hosed_boffins_drop_0day_mac_ios_research_blitzkrieg/

En un caso similar, también se supo de esta otra vulnerabilidad que afecta a 600 millones de smartphones Samsung:

http://arstechnica.com/security/201...ng-galaxy-phones-into-remote-bugging-devices/

En todo caso, la mayoría de estas vulnerabilidades son difíciles de llevar a la práctica y por ello el riesgo a que se exponen los usuarios es en realidad bastante bajo.
Saludos,



Rudel
 
Subir