Apple addresses XARA vulnerabilities, says fixes on the way
Apple on Friday commented on the discovery of so-called cross-app resource access (XARA) exploits, saying it rolled out a server-side security update earlier this week and is currently working with researchers on additional fixes.
In a statement provided to iMore, Apple confirmed knowledge of XARA vulnerabilities and the potential exploits they enable through malicious software on OS X and iOS. Downloaded malware, or nefarious URL schemes, intercepts data being transferred between sandboxed apps, including sensitive information like passwords and authentication keys.
"Earlier this week we implemented a server-side app security update that secures app data and blocks apps with sandbox configuration issues from the Mac App Store. We have additional fixes in progress and are working with the researchers to investigate the claims in their paper," an Apple spokesman said.
The vulnerabilities were discovered last year by a team of researchers working out of Indiana University, Georgia Tech and China's Peking University, who subsequently informed Apple of their findings last October. Apple requested details of the exploits be withheld from publication for six months.
As explained in the group's research paper, which was published this week, malicious apps take advantage of flaws in the way OS X and iOS move and store inter-app data. In the case of OS X, malware downloaded from the App Store is able to access and modify the Keychain database and Bundle IDs, the latter of which are used as a form of access control. Other attacks involve WebSockets and URL schemes.
While the threat is very real, some news outlets have perhaps overhyped XARA's danger, iMore says. In order to implement a fix, however, both Apple and developers need to rework data handling methods with more stringent protocols.