Tuesday, June 23, 2015

0-day identified in Apple OSX and iOS

Security researchers have spotted 0-day vulnerabilities targeting Apple operating systems, i.e., Mac OS X and iOS. The impact of the issue could allow an intruder to steal sensitive information that can aid further attacks later on. The security flaws presented in a joint research paper entitled 'Unauthorized Cross-App Resource Access on Mac OS X and iOS' by Indiana University's Xiaolong Bai, XiaoFeng Wang and Tongxin Li, with Peking University's Kai Chen and the Georgia Institute of Technology's Xiaojing Liao. The flaw named XARA given by security researchers, target major cross-app resource sharing mechanisms such as keychain and communication channels that includes WebSocket and Scheme - are not properly protected by both the OS and the apps using them and allows attackers to gain knowledge of sensitive user information through a malicious program. Similarly, sandbox mechanism is not reliable enough and can be exploited through malicious app - gaining full access to other apps' directories (called containers). <more>

No comments: