OFFICIAL SECURITY BLOG

We’ve moved! You can now read the latest and greatest on Mac adware and malware at Malwarebytes.

Multiple vulnerabilities found in Mac OS X

Published June 17th, 2015 at 3:30 PM EDT , modified June 23rd, 2015 at 4:23 PM EDT

A group of six researchers at several universities in the US and China published a paper last weekend revealing the details of several different vulnerabilities in Mac OS X. These vulnerabilities all provide ways for a malicious app to gain access to data from another app. Frighteningly, these vulnerabilities can be exploited from a Mac App Store app, and can even allow an attacker to gain access to keychain entries!

The worst of these vulnerabilities would give a malicious app the ability to harvest data from the keychain under controlled circumstances. A malicious app could delete a keychain item created by another app, then create a lookalike replacement to which it has access. Later, when the target app went looking for that keychain item, it could be tricked into depositing information – such as passwords – which the malicious app could then access.

Another vulnerability involves the data storage mechanism for sandboxed apps.  Apps downloaded from the Mac App Store are supposed to be “sandboxed,” meaning that they are isolated from each other and from the system to some degree. All such apps have their own folder in a hidden location, in which they can store any data they want to. This folder is given a name corresponding to the app’s “bundle ID,” which is a string like “com.apple.mail” (in the case of Apple’s Mail app).

Bundle IDs are supposed to be unique, and this is enforced in the App Store. Unfortunately, this is not enforced for any “helper apps” that may come bundled inside a particular app. This means that a malicious app could include a helper app that uses some other app’s bundle ID. This would, unfortunately, give that helper app, and thus the app containing it, access to that other app’s private data repository.

1PasswordA third issue involves inter-process communication (IPC) through WebSocket. In Mac OS X, one app can act as a WebSocket server, listening on a particular port. Another app can send data to that port, intended for the server app. An example of this is the 1Password app, which uses this kind of communication between the 1Password browser extension and the 1Password app.

Unfortunately, a malicious process could get to that port first, and be in a position to receive data intended for another app. In the case of 1Password, it would be possible for a malicious app to imitate 1Password and receive password data from the 1Password browser extension.

Finally, the last vulnerability found involves special app-specific URLs, such as the “itms://” links that open the iTunes Store. Certain of these URL schemes are reserved for Apple to use, and no third-party apps can use them. However, many others exist that can be used by any third-party app.

On Mac OS X, the first app to register a URL scheme is the one that gets to use it. This means that if a malicious app could beat a legit app to registering a URL scheme, it could intercept data intended for that app. In the example cited in the paper, a “wunderlist://” URL containing a secret token used for accessing a Wunderlist account could be intercepted by a malicious app, thus giving that app access to the Wunderlist account in question.

All four of these vulnerabilities are very serious. Worse, they all can be exploited by Mac App Store apps. The researchers behind the paper were able to get apps into the App Store that included all of these exploits. (Those apps were pulled from the App Store by the researchers as soon as they were approved.) Even worse, Apple has known about these issues for 6 months, yet there are still no fixes in place.

All this sounds very bad, but fortunately there is some good news. First, there’s no known malware in the wild that uses these vulnerabilities yet. Some could certainly appear very soon, but there’s still the issue of getting the malware installed. There’s no known way to do that without fooling the user, although the high rate of adware infections right now shows that that’s not always difficult to do.

Further, even if malware using these vulnerabilities did get installed, is that really any worse than what malware could already do? Probably not. Once installed, malware can easily monitor keystrokes, take screenshots, track your browsing history, upload your personal files to a malicious server, etc, and all without relying on vulnerabilities or even the entry of an admin password. Malware has been doing this sort of thing for years without needing these kinds of vulnerabilities. Even Mac App Store apps have been found guilty of doing some of these things.

Apple should definitely fix these vulnerabilities, and should do so soon. However, it seems like a mistake to me to ever assume that running an untrusted app is safe. If an untrusted app has gotten onto your system, you’ve got serious problems, regardless of whether there are vulnerabilities like these present or not. To protect yourself, just be cautious about the apps that you install on your computer. Only download them from the developer’s site and always research them thoroughly first. If you download from the Mac App Store, pay close attention to reviews and never download an app that is so new (or unpopular) that it has no reviews yet.

Updates

Tuesday, June 23, 2015 @ 4:20 pm EST: Apple has already fixed the issues with the App Store approval process, from the sounds of it. Further, I’ve heard from a developer who tried to duplicate the keychain vulnerability on his own system, and was unable to make it work. It seems the keychain vulnerability either may have been fixed already, without any announcement, or it is much harder to exploit than the paper describes.

Tags: ,

26 Comments

  • Retrocausal says:

    Even if the actual threat appears to be fairly low to the common user, Apple should fix this at once, as a matter of security principle. If you found out that your doorlock had been defunct during the last six months without you realizing it (you’d have to be pretty dumb, admittedly, but still), wouldn’t you replace it as soon as you realized, regardless of past, present or future possible break-ins? Common sense seems to elude Apple at this point.

  • John Fallon says:

    On the other hand, we’ve always been told to trust the App store. And people who leave reviews will never find these issues; they won’t be looking for them. This is why Apple gets the 30 percent cut.
    Of course, they’ll only fix this (if they do) in Yosemite and El Capitan.

  • I. P. Freely says:

    Consumer-oriented computer operating systems such as Windows, OSX, IOS, Android, et al. have become a binary “open sore” begging to be compromised/infected.

    For example – OSX 10.5 logged-in shows about 35 active processes, 10.6 about the same. OSX 10.9 sports well over 100 active process. These 2X more active processes are running to facilitate integration with other devices and services; but are basically intended to monitor and track user activity and/or sell you stuff.

    It is simply a matter of time before relying on a personal computing device of any stripe will provide far more risk than reward.

    The more these devices are integrated the more likely a compromise can and will occur.

    Apple, specifically, has created a perfect “Gordian Knot” in their attempts to integrate/unify OSX and IOS more closely.

    Difficult or impossible to unravel but easy to break.

  • ng says:

    Do you think forcing app makers to apply encryption to their data by default might stop, or at least reduce the odds of losing sensitive data against such vulnerabilities you ve mentioned? If yes, why havent they already started doing that for years?

    Thanks,
    ng

    • Thomas says:

      I don’t think it’s reasonable to require app makers to encrypt all their own data. Encryption is not easy to do right, and such a requirement could cause small-time developers to fail completely. Plus, a lot of data simply isn’t interesting enough to be worth encrypting.

      Besides which, encryption is no guarantee. The keychain is encrypted, yet one of these vulnerabilities allows a malicious app to harvest data from there.

  • Timothy says:

    This is more than just a bug in some code {GotoFail was an inexcusable bug) .
    In my opinion, this is indicative of a total disregard for security and integrity at every stage from the design and coding of Gatekeeper to the App Store review process. This is multiple failures in multiple areas. As someone who has been using Mac’s exclusively since 1987, I no longer have confidence in Apple.

    • Thomas says:

      What folks need to keep in mind here is that once malware is on your computer, you’re screwed, to some degree or another. This merely puts some specific parameters on how you could be screwed.

      It’s also important to mention that the authors of the paper pointed out that there are fairly similar vulnerabilities on Windows and Android. Mac OS X is not alone here. No system is perfectly secure against attacks from within. Further, I seriously doubt that that is even possible without a complete rewrite of the entire codebase, a complete rethinking of how systems should work, and losing some features we take for granted today.

  • pucca says:

    Again? Apple has been in the news with security issues quite a few times lately and to be honest it scares me. I only download from trusted sites but now you can’t even trust the appstore anymore. I also keep checking if there is an update but none so far. And to make matters worse some trusted sites had been infected with malware ads so it’s easy to get malware/adware even if you try to be careful.

    I agree that every system has problems and such but the safety I once felt when using a mac instead of windows is gone. I use my virusscanner and adwaremedic more often, so far didn’t find anything but the unsafe feeling remains because I know it cannot detect everything out there.

    • james says:

      This is going to happen on any computer you own. If you’re that scared, take it off of the internet or get rid of it. It’s the absolute only way of being safe.

  • DRM says:

    I have just been infected with an adware/malware pest called Nariabox, which hijack my browser homepage. Could this be part of this issue? Is this something that adwaremedic can deal with?

    • Thomas says:

      That is not related to these vulnerabilities, it sounds like you just have adware. AdwareMedic should be able to deal with it, and if it can’t, it will tell you what to try next.

  • Megan says:

    Hi, I’m Megan and I work for AgileBits, the makers of 1Password.

    For our security expert’s thoughts on this article, please see our blog: https://blog.agilebits.com/2015/06/17/1password-inter-process-communication-discussion/. If you have further questions, we’d love to hear your thoughts in our discussion forums: https://discussions.agilebits.com.

    • Thomas says:

      Thanks… I was going to draw attention there, but you beat me to it!

      And if anyone reading thinks that these vulnerabilities are a good reason to avoid 1Password, let me say that I use it myself, and have no intention of stopping. There are MANY ways for malware to capture password data once it’s installed on your computer, but you are still safer using an app like 1Password than not using a password manager at all.

      • Norris Beale says:

        I keep all my usernames and passwords organized in a MS Excel spreadsheet which itself is password protected. I don’t use any clouds or remote backup tools.
        Please advise, am I a genius or a neanderthal?

        • Thomas says:

          If you’re using the encryption in a recent version of Excel, and are using a good, strong password, then you should be okay. Although a good password manager would be more convenient than Excel, of course.

  • JG says:

    Please forgive me if this question has basically already been answered by this or other articles, but I’m a little frazzled today considering I (and my entire family) use Macs and I use a Samsung cellphone. The news has not been the best for me.

    With regards to this vulnerability, if you do not download any new Apps (from the App Store or otherwise), then would you be protected? I only have three Apps purchased for my Mac, all of which have been in the App Store since at least October 2014. I also use Adobe Photoshop, but that can be downloaded directly from Adobe’s website.

    I have heard about “drive-by downloads” from ads hosted on different websites, but I use the AdBlock Plus Chrome extension and have Chrome set to not run plugins without permission. I can only assume this would further protect me from adware or malware being installed on my system without my express permission, and therefore from these vulnerabilities?

    Again, I’m sorry if I’m asking questions that have already been answered, but I’m afraid I don’t really understand how one can “get” this malware (or, rather, have these vulnerabilities exploited) or the ways in which you can protect yourself from it.

    Thank you!

    • Thomas says:

      First, understand that this is not malware. These are just vulnerabilities with the potential to be misused by theoretical future malware, which as far as I know doesn’t exist yet.

      As for how to protect against such future malware, see the How can I protect myself? section of my Mac Malware Guide. The precautions you’re taking in Chrome are reasonable for protecting against some theoretical future vulnerability that could make drive-by downloads possible, but should not be considered comprehensive. Since no such vulnerability is known at this time, it’s impossible to say exactly what form it could take or what methods would be needed to avoid it.

      • JG says:

        So, like you said then, just the standard “be careful what you download” advice is probably the best to follow right now, because there is not something out there presently taking advantage of these vulnerabilities, but could be in the future? That makes me feel a lot better. It was starting a bit to feel like technology Armageddon.

        Thank you so much!

  • iEscape says:

    These articles are maybe interesting to read:

    Apple addresses XARA vulnerabilities, says fixes on the way
    http://forums.appleinsider.com/t/186842/apple-addresses-xara-vulnerabilities-says-fixes-on-the-way

    Apple comments on XARA exploits, and what you need to know:
    http://www.imore.com/xara-exploits-mac-iphone-and-ipad-and-what-you-need-know

  • CA says:

    I can’t quite tell how this happened but I purchased a MacBook Air in Feb this year. I turned on the firewall, set the disk encryption and switched of all file sharing options. In April I tried to connect an email account. There was an email from myself that I opened. It was blank and no attachment.Then the mail connection simply vanished. Later that day I notice my internet connection had slowed dramatically so I logged off only to find another user account. I shut down the network immediately. I then found a bluetooth exchange folder with a few of my word docs in it. I had noticed a unfamiliar device listed under the Devices tag but had simply assumed this was just registering someone nearby.

    I have since found new partitions on the drive and even after using the restore function it appears all I’ve done is reinstall the false system. The scariest thing is that when I thought I had shut down my network connection and computer I have found that there is another operation running behind it and it remains connected to the network. I have just been reading about bash and it seems my macbook air has been remotely taken over with an obvious intent to capture images and documents who knows what else. This has no doubt has been going on for a while. All the advice online talks about prevention. What do I do after the fact?

    • Thomas says:

      If you believe someone malicious has had access to your computer, you need to erase the hard drive and reinstall everything from scratch. Whether that is actually necessary in your case I can’t say.

    • Ann says:

      Same thing happened to me last week !! New MBP with retina which I had hardly used b/c it has been in the store for repairs. I was on a protected network (I can hardly log onto it) at a relatives house and an unknown MBP briefly appeared under shared users. I shut down the screen sharing, etc (this had been activated when working with apple support on phone and I forgot to turn it off). Reviewed my log in system logs – no expert, but compared to previous start-ups – something different. Called Apple Support and first response was computer “registered to someone else” – she was not bothered by this and confirmed it was my computer by serial code. I turned my computer off, shut down the wifi and disconnected the modem immediately, then made copies of all system logs. I have performed a thorough backup – erased all info on hard drive and reinstalled operating system (twice). I have not connected the back up – afraid I would be using corrupt external drive. Did someone remotely log in and take control ? Could they still do so despite steps I have taken thus far. Honestly, I am afraid to use this computer and the external back up and have no idea what to do, Have considered trading this one in with excuse to upgrade to 500GB storage but there is still the issue of the external hard drive. What should I do – nervous

      • Thomas says:

        It is completely normal at times to see other computers on the same network under the Shared section of the sidebar in the Finder. This is not an indication that your computer was being remotely accessed or hacked in any way. I see no indication from your description that your Mac has been hacked, and nothing that seems to be related to the vulnerabilities being discussed on this topic.

  • Anan says:

    Did the OS X Yosemite 10.10.4 update fix these security vulnerabilities ?

    • Al Varnell says:

      I doubt that it did, but you are welcome to take a look for yourself @ http://lists.apple.com/archives/security-announce/2015/Jun/msg00002.html. 10.10.4 came out shortly after this vulnerability was published and from what I’ve read the authors kept changing their findings while Apple was trying to fix things. As mentioned in the article, Apple claims to have fixed the issues with the App Store approval process on their end. Without access to the XARA scanner (and have confidence that it works as claimed) I don’t know that it’s possible to verify anything about this.

This post is more than 90 days old and has been locked. No further comments are allowed.