Apple CORED but ignored

The apple CORED/XARA vulnerability remains unpatched but appears unexploited in the wild.

Apple CORED but ignored
Apple CORED but ignored

A hole in Apple software remains unpatched, nearly nine months after it was first identified, leaving Apple IOS and OS X users vulnerable. The vulnerability, known as CORED or XARA (to give it its alternative name) was first picked up by researchers last year and was made known to Apple in October but, as of yet, the hole has not been fixed.

CORED/XARA allows an attacker to gain access to Apple's password storing system Keychain as well as break sandboxed apps. As yet, there appear to be no attacks in the wild.

According to the six researchers - from the universities of Indiana, Beijing and the Georgia Institute of Technology, -  the consequences of the breach could be extremely serious. “For example, on the latest Mac OS X 10.10.3, our sandboxed app successfully retrieved from the system's keychain the passwords and secret tokens of iCloud, email and all kinds of social networks stored there.”

"The good news: this isn't a catastrophe," said Paul Ducklin, senior security advisor at Sophos. "Malware can already pull off credential-stealing tricks without exploiting holes such as CORED/XARA. And this isn't a Remote Code Execution bug, where a crook could wander in from the outside and plant malware on your Mac without warning. So, let's see what Apple comes up with to restore these vulnerable security segregation features - and, in the meantime, don't give up on that anti-malware protection." 

The lack of any attacks should be a relief to Apple customers but why has there been a delay in fixing the problem.  Independent security consultant says that Apple are notoriously reticent to reveal any further information about security issues until they're actually fixed. He says that only Apple can answer with any authority. “One assumes that it's quite complicated to fix,” he says.

And Jared de Mott, principal security advisor with Bromium said we shouldn't be too hard on Apple. ““I'm sure Apple would have liked to fix the bug sooner.  And I'm sure they're working on it,“ he said.

He added, however, that the design of Apple software led to such issues. “But the vulnerability points out the fundamental weakness of isolating applications via sandboxes: if there is a weakness in the OS kernel, or in the protocol used to allow sandboxes to communicate two things happen: Sandbox escapes or data pilfering becomes possible (and yes, Mac users should be worried about this) and the bug is often hard to repair.”

De Mott does highlight a belief among some Apple users that their devices are free from the security problems that plague other machines. Cluley says that anyone playing close attention to security threat had “that belief beaten out of them long ago. Apple isn't somehow magically protected from security threats and privacy issues - it's still software written by humans, and humans make mistakes, and introduce bugs into their code.”

But, he says, Apple users should be concerned that it has taken so long to put right. “Apple users should be making their voice heard, and demanding a statement from Apple regarding what's happening about the flaw and when the problem will get fixed.”