Saturday, 20 June 2015 22:56

Apple raids Xara’s cruft, fixes in progress Featured


The various security vulnerabilities causing Apple a few headaches, dubbed Xara and CORED, have elicited a response from Apple itself.

In my previous article on the XARA/CORED weakness/vulnerability in Mac OS X and iOS, a reader named LorinT reminded us all that the cross-app resource access (the source of the XARA acronym) is a very valid way for one app to reference another for data.

However, as LorinT explains, this access is being done in a hackable way, with the surprise of many high-profile apps not using any kind of authentication when sharing information between multiple processes running on a system.

That previous article linked to two from the iMore website, one which explained the issue at a high level, and then another which went into more detail - which is kinda appropriate for a site called iMore.

In any case, iMore is clearly a site with some clout, because Apple sent iMore a statement on the XARA issue and what it intends doing about it.

iMore’s latest article lists Apple’s statement, and additional detail.

Of course, the question is - what did Apple say?

Apple said: “Earlier this week we implemented a server-side app security update that secures app data and blocks apps with sandbox configuration issues from the Mac App Store. We have additional fixes in progress and are working with the researchers to investigate the claims in their paper."

Clearly, it’s good to see Apple isn’t ignoring the issue, not that we ever thought it would.

Indeed, while we wish Apple, Microsoft, Facebook, Google, Samsung and everyone else responded to and fixed privately and publicly disclosed security vulnerabilities with superhuman speed, sometimes things just take a little time.

Sometimes researchers need to disclose their findings to force the issue, sometimes things aren’t as serious as they’re being made out to be, sometimes things have to go seriously wrong before action is taken, and sometimes action is taken proactively before we even knew it was a problem - and whatever the scenarios are in between.

So… compute safely out there whatever platform you’re using, and may our hardware and software providers forever take security extremely seriously!

WEBINAR event: IT Alerting Best Practices 27 MAY 2PM AEST

LogicMonitor, the cloud-based IT infrastructure monitoring and intelligence platform, is hosting an online event at 2PM on May 27th aimed at educating IT administrators, managers and leaders about IT and network alerts.

This free webinar will share best practices for setting network alerts, negating alert fatigue, optimising an alerting strategy and proactive monitoring.

The event will start at 2pm AEST. Topics will include:

- Setting alert routing and thresholds

- Avoiding alert and email overload

- Learning from missed alerts

- Managing downtime effectively

The webinar will run for approximately one hour. Recordings will be made available to anyone who registers but cannot make the live event.



Security requirements such as confidentiality, integrity and authentication have become mandatory in most industries.

Data encryption methods previously used only by military and intelligence services have become common practice in all data transfer networks across all platforms, in all industries where information is sensitive and vital (financial and government institutions, critical infrastructure, data centres, and service providers).

Get the full details on Layer-1 encryption solutions straight from PacketLight’s optical networks experts.

This white paper titled, “When 1% of the Light Equals 100% of the Information” is a must read for anyone within the fiber optics, cybersecurity or related industry sectors.

To access click Download here.


Alex Zaharov-Reutt

One of Australia’s best-known technology journalists and consumer tech experts, Alex has appeared in his capacity as technology expert on all of Australia’s free-to-air and pay TV networks on all the major news and current affairs programs, on commercial and public radio, and technology, lifestyle and reality TV shows. Visit Alex at Twitter here.



Recent Comments