A cross application resource attack (XARA) that researchers at Indiana University, Georgia Tech and China’s Peking University publicized last week seems to have been partially addressed as Apple issued a server-side fix on the Mac App Store to block malicious apps and secure app data.
Additional fixes are in the works for the XARA exploits on both iOS and OS X, a company spokesperson told iMore. XARA exploits allow malicious apps to steal iCloud credentials of a user, access private data in apps like 1Password and Evernote, hijack their iCloud Keychain passwords and more.
“Earlier this week we implemented a server-side app security update that secures app data and blocks apps with sandbox configuration issues from the Mac App Store,” said an Apple spokesperson. “We have additional fixes in progress and are working with the researchers to investigate the claims in their paper.”
The thirteen-page research paper titled “Unauthorized Cross-App Resource Access on Mac OS X and iOS” offers in-depth information about these exploits which stem from zero-day flaws in Keychain’s access control lists, URL schemes and OS X’s app containers.
While fixing a flaw in the Mac App Store means malicious apps can no longer bypass the App Store security checks and break app sandboxes, patching other vulnerabilities is thought to require significant architectural changes to the way OS X and iOS interact with apps.
Until the full fix for these high-impact security weaknesses is delivered, you’re advised to avoid downloading software from developers you don’t know and trust.
On OS X, open System Preferences and under the General tab of the Security & Privacy pane tick the box next to “Mac App Store and identified developers.” This will prevent installation of non-signed apps from unknown sources.