Major iOS and Mac OS Vulnerabilities Expose Customers to Cyber Attacks
When it comes to Apple, sometimes it can be very hard to separate myth from reality. Even with Steve Jobs dearly departed (tip of the hat to his genius), the company itself seems to have retained its own reality-distortion field. This is true when it comes to iOS and Mac OS vulnerabilities.
The myth of Apple invulnerability is so great that we bet you don’t know what this word means: ‘Gatekeeper.’ That is Apple’s anti-virus and malware software; and, boy does it have a weakness. Patrick Wardle, a security researcher with Synack, found a way to compromise Gatekeeper and access the Mac OS in 5 minutes. Five minutes.
It turns out, Apple is also drinking its own Kool-Aid. ‘Gatekeeper’ checks apps and applications to ensure they are they aren’t on an Apple blacklist. BUT, they don’t check the code. With all we know about how viruses hide it’s hard to fathom why Apple would think this is sufficient protection.
As part of this investigation, Wardle hitched a ride on a legitimate app that passed Gatekeeper’s whitelist of accepted apps. From there, all it takes is a fake Wi-Fi hotspot and a hacker could use that ‘legit’ app to inject malicious code into the Mac or iOS operating system. Apple released a ‘patch’ that merely blacklisted the ‘legit’ app that Wardle used to break into it. Apple has not yet changed the code of Gatekeeper to check the internal code of a white-listed app. Meaning, the weakness remains.
All of this culminated on January 16, 2016, when Apple released updates to both Mac OS and iOS — (OS X 10.11.3 and IOS 9.2.1). According to the security firm Zimperium zLabs the update patches multiple classes of vulnerabilities. Not 1 vulnerability. Not 2. Multiple. Apple is now close to Microsoft Windows in that it is doing security updates almost once a month.
So much for the myth of Apple invulnerability. So do yourself a solid. If you’re on iOS and Mac OS, download and install those updates. But secure your sensitive financial transactions through services like BankVault.