In my previous article on the XARA/CORED weakness/vulnerability in Mac OS X and iOS, a reader named LorinT reminded us all that the cross-app resource access (the source of the XARA acronym) is a very valid way for one app to reference another for data.
However, as LorinT explains, this access is being done in a hackable way, with the surprise of many high-profile apps not using any kind of authentication when sharing information between multiple processes running on a system.
That previous article linked to two from the iMore website, one which explained the issue at a high level, and then another which went into more detail - which is kinda appropriate for a site called iMore.
In any case, iMore is clearly a site with some clout, because Apple sent iMore a statement on the XARA issue and what it intends doing about it.
iMore’s latest article lists Apple’s statement, and additional detail.
Of course, the question is - what did Apple say?
Apple said: “Earlier this week we implemented a server-side app security update that secures app data and blocks apps with sandbox configuration issues from the Mac App Store. We have additional fixes in progress and are working with the researchers to investigate the claims in their paper."
Clearly, it’s good to see Apple isn’t ignoring the issue, not that we ever thought it would.
Indeed, while we wish Apple, Microsoft, Facebook, Google, Samsung and everyone else responded to and fixed privately and publicly disclosed security vulnerabilities with superhuman speed, sometimes things just take a little time.
Sometimes researchers need to disclose their findings to force the issue, sometimes things aren’t as serious as they’re being made out to be, sometimes things have to go seriously wrong before action is taken, and sometimes action is taken proactively before we even knew it was a problem - and whatever the scenarios are in between.
So… compute safely out there whatever platform you’re using, and may our hardware and software providers forever take security extremely seriously!