Two Apple Security TidbitsBy Rich
Two interesting items.
First up, whatever actual vulnerability was used, the Apple Developer Center was exploited with a code execution flaw:
On the site, Apple credits 7dscan.com and SCANV of www.knownsec.com for reporting the bug on July 18, which is the same day the Developer Center was taken offline. During the downtime, Apple reported that the Developer Center website had been hacked, with an intruder attempting “to secure personal information” from registered developers. The company noted that while sensitive information was encrypted, some developer names, mailing addresses, and/or email addresses may have been acquired.
Expect to see constant developer targeting, on all platforms, as operating systems themselves become hardened. No details on the flaw other than that, but I didn’t even expect them to release that much. They also credit the researcher who pulled user account info using, it turns out, a different flaw. That’s the guy some expected them to go after legally, which is even more interesting.
Item number 2.
A group of researchers from Georgia Tech developed an app that masqueraded as a news reader that would phone home to reprogram itself into malware – something that was apparently not picked up in Apple’s security screening procedures, reports the MIT Technology Review.
Charlie Miller did this once before, and I’m sure it will happen again. It’s a big cat and mouse game, and Apple is in for constant battles (as are Google, Microsoft, and Amazon with their stores). It will keep getting harder, but likely never impossible. The real question is mitigation. Apple yanks apps when needed, but generally won’t claw them back off a device. For Macs that requires a software update, and I am investigating whether it is more automated for iOS.