While the attention of Apple enthusiasts this week is focused on the new iPhone SE and 9.7-in iPad Pro, CISOs are watching several vulnerabilities in the company’s platforms that have just been found.
This morning SentinelOne researchers revealed a major flaw in all versions of OS Xwhich allows for local privilege escalation and bypass of System Integrity Protection, Apple’s newest protection feature.
It was reported to Apple and patches will be available soon, SentinelOne said.
“This vulnerability not only reveals a major security flaw in OS X, but also provides further evidence that exploits can be extremely stealthy, and at times, virtually impossible to detect,” the vendor said in a statement.
“The nature of this particular exploit enables it to evade defenses by utilizing very reliable and stable techniques that traditional detection mechanisms, looking for more obvious warning signs, would miss.”
In an email researcher Pedro Vilaça, who discovered the problem, said it wasn’t easy to spot. “You need to think about the whole process and know how it works. After you discover it, it appears to be easy to find. However, hindsight is always 20/20.”
He described it as a non-memory corruption bug that allows users to execute arbitrary code on any binary. It can bypass a key security feature of the latest version of OS X, El Capitan, the System Integrity Protection (SIP) without kernel exploits. SIP is a new feature, which is designed to prevent potentially malicious software from modifying protected files and folders: essentially to protect the system from anyone who has root access, authorized or not.
The same exploit allows someone to escalate privileges and also to bypass system integrity. In this way, the same OS X security feature designed to protect users from malware can be used to achieve malware persistency.
To exploit this vulnerability, an attacker must first compromise the target system in any way — for example by a spearphishing attack or by exploiting the user’s browser.
On Monday Apple updated OS X El Capitan as well as patched a number of security vulnerabilities.
Meanwhile last week Palo Alto Networks said it found a new family of iOS malware that successfully infected non-jailbroken devices through Apple’s FairPlay digital rights management protection mechanism to spread malware.
Dubbed “AceDeceiver,” the man-in-the-middle attack installs itself without compromising an enterprise certificate by exploiting design flaws in FairPlay. After being alerted Apple removed several apps that leverage AceDeceiver from App Store in February that purported to be wallpaper, the Palo Alto said –noting the apps would have had to pass Apple’s code review several times. But, researchers say the malware may still spread thanks to a novel attack vector.
iOS devices request an authorization code for each app downloaded from the App Store to prove it was actually purchased. In the FairPlay MITM attack, attackers purchase an app from App Store then intercept and save the authorization code. They then developed PC software that simulates the iTunes client behaviors, and tricks iOS devices to believe the app was purchased by victim. “Therefore, the user can install apps they never actually paid for, and the creator of the software can install potentially malicious apps without the user’s knowledge,” says Palo Alto.
The three apps discovered would only have worked in China. However, researchers say that could be easily changed in future versions. “The bigger issue,” they say,” is that AceDeceiver is evidence of another relatively easy way for malware to infect non-jailbroken iOS devices. As a result, it’s likely we’ll see this start to affect more regions around the world, whether by these attackers or others who copy the attack technique.
In addition, they say the new attack technique is more dangerous than previous ones in part because it doesn’t require an enterprise certificate and therefore this kind of malware is not under MDM solutions’ control.
It isn’t clear if this vulnerability was fixed in this weeks’ iOS patches.