XARA

Last updated

XARA is an acronym for "Unauthorized Cross-App Resource Access", which describes a category of zero-day vulnerabilities in computer software systems.

A zero-day vulnerability is a computer-software vulnerability that is unknown to those who would be interested in mitigating the vulnerability. Until the vulnerability is mitigated, hackers can exploit it to adversely affect computer programs, data, additional computers or a network. An exploit directed at a zero-day is called a zero-day exploit, or zero-day attack.

Contents

Initial Disclosure

An academic research paper entitled "Unauthorized Cross-App Resource Access on MAC OS X and iOS". [1] was published on 26 May 2015 by a team of researchers from Indiana University, Tsinghua University, Peking University, Chinese Academy of Sciences, and Georgia Institute of Technology. The paper was widely released to the public on 16 June 2015 [2] and commented on by both mainstream and technical media outlets. [3] [4] [5] [6] [7]

Indiana University university system, Indiana, U.S.

Indiana University (IU) is a multi-campus public university system in the state of Indiana, United States. Indiana University has a combined student body of more than 110,000 students, which includes approximately 46,000 students enrolled at the Indiana University Bloomington campus.

Tsinghua University university in Beijing, China

Tsinghua University is a major research university in Beijing, and a member of the elite C9 League of Chinese universities. Since its establishment in 1911, it has graduated numerous Chinese leaders in politics, business, academia, and culture.

Peking University university in Beijing, China

Peking University is a major research university in Beijing, China, and a member of the elite C9 League of Chinese universities. The first modern national university established in China, it was founded during the late Qing Dynasty in 1898 as the Imperial University of Peking and was the successor of the Guozijian, or Imperial College. The university's English name retains the older transliteration of "Beijing" that has been superseded in most other contexts.

The paper identifies a number of separate categories of zero day threats to applications and stored passwords which can potentially be exploited by malware on iOS devices and OS X. The paper also discloses the existence of similar vulnerabilities on Android devices.

Application software computer software designed to perform a group of coordinated functions, tasks, or activities for the benefit of the user

Application software is computer software designed to perform a group of coordinated functions, tasks, or activities for the benefit of the user. Examples of an application include a word processor, a spreadsheet, an accounting application, a web browser, a media player, an aeronautical flight simulator, a console game or a photo editor. The collective noun application software refers to all applications collectively. This contrasts with system software, which is mainly involved with running the computer.

An exploit is a piece of software, a chunk of data, or a sequence of commands that takes advantage of a bug or vulnerability to cause unintended or unanticipated behavior to occur on computer software, hardware, or something electronic. Such behavior frequently includes things like gaining control of a computer system, allowing privilege escalation, or a denial-of-service attack.

Malware is any software intentionally designed to cause damage to a computer, server, client, or computer network. Malware does the damage after it is implanted or introduced in some way into a target's computer and can take the form of executable code, scripts, active content, and other software. The code is described as computer viruses, worms, Trojan horses, ransomware, spyware, adware, and scareware, among other terms. Malware has a malicious intent, acting against the interest of the computer user—and so does not include software that causes unintentional harm due to some deficiency, which is typically described as a software bug.

Response by Vendors

  1. On 19 June 2015, Apple Computer responded to the press [8] that they had implemented countermeasures to exclude malware containing the XARA exploit from their iOS App Store.

Attack Vectors

In XARA each attack vector violates the principles of a computer security sandbox.

In computer security, a "sandbox" is a security mechanism for separating running programs, usually in an effort to mitigate system failures or software vulnerabilities from spreading. It is often used to execute untested or untrusted programs or code, possibly from unverified or untrusted third parties, suppliers, users or websites, without risking harm to the host machine or operating system. A sandbox typically provides a tightly controlled set of resources for guest programs to run in, such as scratch space on disk and memory. Network access, the ability to inspect the host system or read from input devices are usually disallowed or heavily restricted.

  1. Untrusted partners using shared resources such file system, keychain.
  2. Inter-process communication without verification of partner.
  3. Weak security policies of system installer allow other applications to be designated as shared resource bundles.

Known systems with problems

  1. iOS from Apple Computer
  2. OS X from Apple Computer
  3. Android from Google

See also

Software-defined protection (SDP) is a computer network security architecture and methodology that combines network security devices and defensive protections which leverage both internal and external intelligence sources. An SDP infrastructure is designed to be modular, scalable, and secure. The SDP architecture partitions the security infrastructure into three interconnected layers. The Enforcement Layer inspects traffic and enforces protection within well-defined network segments. The Control Layer generates security policies and deploys those protections to enforcement points. The Management Layer orchestrates the infrastructure and integrates security with business processes. The SDP architecture supports traditional network security and access control policy requirements, as well as the threat prevention required for enterprises implementing technologies such as mobile computing and software-defined Networking (SDN).

A vector in computing, specifically when talking about malicious code such as viruses or worms, is the method that this code uses to propagate itself or infect a computer. This sense is similar to, and derived from, its meaning in biology.

Related Research Articles

Privilege escalation process to gain control of computer privileges that are not allowed to a user or application by default

Privilege escalation is the act of exploiting a bug, design flaw or configuration oversight in an operating system or software application to gain elevated access to resources that are normally protected from an application or user. The result is that an application with more privileges than intended by the application developer or system administrator can perform unauthorized actions.

Keychain (software)

Keychain is the password management system in macOS, developed by Apple. It was introduced with Mac OS 8.6, and has been included in all subsequent versions of Mac OS, now known as macOS. A Keychain can contain various types of data: passwords, private keys, certificates, and secure notes.

iOS mobile operating system by Apple

iOS is a mobile operating system created and developed by Apple Inc. exclusively for its hardware. It is the operating system that presently powers many of the company's mobile devices, including the iPhone, iPad, and iPod Touch. It is the second most popular mobile operating system globally after Android.

TeamViewer computer software

TeamViewer is proprietary software for remote control, desktop sharing, online meetings, web conferencing and file transfer between computers.

iOS jailbreaking removes limitations on Apples iOS devices

iOS jailbreaking is privilege escalation for the purpose of removing software restrictions imposed by Apple on iOS, tvOS and watchOS. It typically does this by using a series of kernel patches. Jailbreaking permits root access to iOS, allowing the downloading and installation of additional applications, extension, and themes that are unavailable through the official Apple App Store.

Apple ID is a service used by Apple to authenticate or sign in an iPhone, iPad, or Mac.

Jay Freeman American computer scientist

Jay Ryan Freeman is an American businessman and software engineer. He is known for creating the Cydia software application and related software for jailbroken iOS—a modified version of Apple's iOS that allows for the installation and customization of software outside of the regulation imposed by the App Store system.

Mobile security, or more specifically mobile device security, has become increasingly important in mobile computing. Of particular concern is the security of personal and business information now stored on smartphones.

KeePass password management utility

KeePass Password Safe is a free and open-source password manager primarily for Windows. It officially supports macOS and Linux operating systems through the use of Mono. Additionally, there are several unofficial ports for Windows Phone, Android, iOS, and BlackBerry devices. KeePass stores usernames, passwords, and other fields, including free-form notes and file attachments, in an encrypted file. This file can be protected by any combination of a master password, a key file, and the current Windows account details. By default, the KeePass database is stored on a local file system.

Avast Antivirus antivirus computer program

Avast Antivirus is a family of internet security applications developed by Avast for Microsoft Windows, macOS, Android and iOS. The Avast Antivirus products include free and proprietary versions that provide computer security, browser security, antivirus software, firewall, anti-phishing, antispyware, and anti-spam among other services.

Mac Defender is an internet rogue security program that targets computers running macOS. The Mac security firm Intego discovered the fake antivirus software on 2 May 2011, with a patch not being provided by Apple until 31 May. The software has been described as the first major malware threat to the Macintosh platform. However, it is not the first Mac-specific Trojan, and is not self-propagating.

iCloud cloud storage and cloud computing system

iCloud is a cloud storage and cloud computing service from Apple Inc. launched on October 12, 2011. As of February 2016, the service had 782 million users.

Gatekeeper (macOS) anti-malware feature of the OS X operating system

Gatekeeper is a security feature of the macOS operating system by Apple. It enforces code signing and verifies downloaded applications before allowing them to run, thereby reducing the likelihood of inadvertently executing malware. Gatekeeper builds upon File Quarantine, which was introduced in Mac OS X Leopard and expanded in Mac OS X Snow Leopard. The feature originated in version 10.7.3 of Mac OS X Lion as the command-line utility spctl. A graphical user interface was added in OS X Mountain Lion and later also in version 10.7.5 of Lion.

Google Play digital application platform for Android

Google Play is a digital distribution service operated and developed by Google LLC. It serves as the official app store for the Android operating system, allowing users to browse and download applications developed with the Android software development kit (SDK) and published through Google. Google Play also serves as a digital media store, offering music, books, movies, and television programs. It previously offered Google hardware devices for purchase until the introduction of a separate online hardware retailer, Google Store, on March 11, 2015, and it also offered news publications and magazines before the revamp of Google News in May 15, 2018.

The Java platform provides a number of features designed for improving the security of Java applications. This includes enforcing runtime constraints through the use of the Java Virtual Machine (JVM), a security manager that sandboxes untrusted code from the rest of the operating system, and a suite of security APIs that Java developers can utilise. Despite this, criticism has been directed at the programming language, and Oracle, due to an increase in malicious programs that revealed security vulnerabilities in the JVM, which were subsequently not properly addressed by Oracle in a timely manner.

XcodeGhost are modified versions of Apple's Xcode development environment that are considered malware. The software first gained widespread attention in September 2015, when a number of apps originating from China harbored the malicious code. It was thought to be the "first large-scale attack on Apple's App Store", according to the BBC. The problems were first identified by researchers at Alibaba, a leading e-commerce firm in China. Over 4000 apps are infected, according to FireEye, far more than the 25 initially acknowledged by Apple, including apps from authors outside China.

OSX.Keydnap is a MacOS X based Trojan horse that steals passwords from the iCloud Keychain of the infected machine. It uses a dropper to establish a permanent backdoor while exploiting MacOS vulnerabilities and security features like Gatekeeper, iCloud Keychain and the file naming system. It was first detected in early July 2016 by ESET researchers, who also found it being distributed through a compromised version of Transmission Bit Torrent Client.

Portable Document Format security is concerned with the protection of information and property from theft, corruption, and attack. Its main purpose it to make sure information is productive and accessible to its intended users.

AdGuard

AdGuard is a line of ad blocking and privacy protection software which comprises open-source and shareware products that protect Microsoft Windows, Linux, OS X, Android and iOS users from unwanted ads, pop-ups, banners, as well as from tracking, obscene content, malware and phishing. A cross-platform utility, AdGuard is also available as an extension for the most widely used browsers, Mozilla Firefox, Google Chrome, Opera, Safari, Yandex.Browser, and Microsoft Edge. Over 5 million people are reported to be using the software in 2018.

References

  1. Xing, Luyi; Bai, Xiaolong; Li, Tongxin; Wang, XiaoFeng; Chen, Kai; Liao, Xiaojing; Hu, Shi-Min; Han, Xinhui (26 May 2015). "Unauthorized Cross-App Resource Access on MAC OS X and iOS". arXiv: 1505.06836 Lock-green.svg [cs.CR].
  2. "Unauthorized Cross-App Resource Access on MAC OS X and iOS". 16 June 2015. Retrieved 18 June 2015.
  3. "Apple CORED: Boffins reveal password-killer 0-days for iOS and OS X". TheRegister. TheRegister. Retrieved 20 June 2015.
  4. "OS X and iOS Unauthorized Cross Application Resource Access (XARA)". InfoSec Handlers Diary Blog. Sans Technology Institute.
  5. "iOS and OS X Security Flaws Enable Malicious Apps to Steal Passwords and Other Data". MacRumors. MacRumors. Retrieved 20 June 2015.
  6. "Zero-Day Exploits for Stealing OS X and iOS Passwords". The Hacker News. The Hacker News. Retrieved 20 June 2015.
  7. "Zero-day exploit lets App Store malware steal OS X and iOS passwords". MacWorld. MacWorld. Retrieved 20 June 2015.
  8. "Apple comments on XARA exploits, and what you need to know". iMore. imore.com.
This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.