Multiple Cross App Resource Access Vulnerabilities in Apple Operating Systems Could Allow Information Disclosure

ITS Advisory Number: 
2015-069
Date(s) Issued: 
Friday, July 3, 2015
Subject: 
Multiple Cross App Resource Access Vulnerabilities in Apple Operating Systems Could Allow Information Disclosure
Overview: 

Multiple Cross App Resource Access (XARA) vulnerabilities have been discovered in Apple Mac OS X and Apple iOS. Mac OS X is an operating system for Apple computers. Apple iOS is an operating system for iPhone, iPod touch, iPad, Apple TV. This vulnerability can be exploited if a user downloads a malicious application onto their system or device.

Successful exploitation could result in an attacker gaining access to sensitive information on the device including passwords, documents, or photos stored on the device or by other applications.

Systems Affected: 
  • Apple Mac OS X version 10.10.3, & 10.10.4 Beta and prior
  • Apple iOS version 8.3 and prior
RISK
GOVERNMENT
Large and medium government entities: 
High
Small government entities: 
High
BUSINESS
Large and medium business entities: 
High
Small business entities: 
High
Home Users: 
High
Description: 

Due to a failure to treat other applications on the device as untrusted, multiple Cross App Resource Access (XARA) vulnerabilities have been discovered in Apple Mac OS X and Apple iOS. An attacker can create a specially crafted application and submit it to Apple's App Store as a legitimate application. Once approved, the attacker can entice a victim to download the application, allowing access to data stored on the system as well as data stored by other applications.

Based on a sampling of the top 1,612 OSX applications and 200 iOS applications at the time, the researchers reported a vulnerability rate of 88.6% across the App Stores.

Successful exploitation could result in an attacker gaining access to sensitive information including the OSX system keychain, iCloud secret token, passwords, and any other data stored or processed by a vulnerable application.

The following provide more detail on the vulnerabilities discovered;

  • An authentication-bypass vulnerability exits because it fails to properly implement the authentication mechanism. Specifically, the issue affects the 'Keychain' service. An attacker can exploit this issue to obtain sensitive information such as authentication tokens, iCloud passwords, and user password saved on Google Chrome.   
  • A security-bypass vulnerability exists because it fails to properly restrict access to the secure container belonging to another app. An attacker can exploit this issue to obtain data from another app.   
  • An information-disclosure vulnerability exists because it fails to properly restrict  user supplied input. Specifically, the issue affects the cross-app Inter-process communication (IPC) channels.  An attacker can exploit this issue to obtain sensitive information such as passwords.

A security vulnerability exists because it allows a malicious app to hijack a scheme. An attacker can exploit this issue to access tokens and other information.

Actions: 
  • Once a patch is released from Apple perform updates immediately after appropriate testing.
  • Remind users not to download applications from un-trusted or unknown sources.