iT News

OPM chief blames hack on decades of infosec underinvestment
iT News
The head of the US Office of Personnel Management has fronted Congress to defend the agency's performance to lawmakers furious about a breach that compromised the personnel files of millions of federal workers. Katherine Archuleta, director of the OPM, ...

and more »
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Researchers have uncovered huge holes in the application sandboxes protecting Apple's OS X and iOS operating systems, a discovery that allows them to create apps that pilfer iCloud, Gmail, and banking passwords and can also siphon data from 1Password, Evernote, and other apps.

The malicious proof-of-concept apps were approved by the Apple Store, which requires all qualifying submissions to treat every other app as untrusted. Despite the supposed vetting by Apple engineers, the researchers' apps were able to bypass sandboxing protections that are supposed to prevent one app from accessing the credentials, contacts, and other resources belonging to another app. Like Linux, Android, Windows, and most other mainstream OSes, OS X and iOS strictly limit app access for the purpose of protecting them against malware. The success of the researchers' cross-app resource access—or XARA—attacks, raises troubling doubts about those assurances on the widely used Apple platforms.

"The consequences are dire," they wrote in a research paper titled Unauthorized Cross-App Resource Access on MAC OS X and iOS. "For example, on the latest Mac OS X 10.10.3, our sandboxed app successfully retrieved from the system's keychain the passwords and secret tokens of iCloud, email and all kinds of social networks stored there by the system app Internet Accounts, and bank and Gmail passwords from Google Chrome." Referring to interprocess communication, which is the tightly controlled and Apple-approved mechanism for one app to interact with another and the Bundle ID token used to enforce sandbox policies, the researchers continued:

Read 17 remaining paragraphs | Comments

[security bulletin] HPSBGN03338 rev.1 - HP Service Manager running RC4, Remote Disclosure of Information
[security bulletin] HPSBGN03350 rev.1 - HP SiteScope Using RC4, Remote Disclosure of Information
LinuxSecurity.com: devscripts could be made to overwrite files.
LinuxSecurity.com: wpa_supplicant and hostapd could be made to crash if they receivedspecially crafted network traffic.
LinuxSecurity.com: Aptdaemon could be made to expose sensitive information, or allow fileaccess as the administrator.
LinuxSecurity.com: Updated kernel packages that fix one security issue and one bug are now available for Red Hat Enterprise Linux 5.9 Advanced Update Support. Red Hat Product Security has rated this update as having Important security [More...]
VCE3570: VCE Vision(TM) Intelligent Operations Cryptographic and Cleartext Vulnerabilities
OS Command Injection in Vesta Control Panel
Reflected Cross-Site Scripting (XSS) in SearchBlox
Internet Storm Center Infocon Status