phaZed
Well-Known Member
- Reaction score
- 2,968
- Location
- Richmond, VA
So, yes, the title is a catch phrase but I find it entirely true. It just seems like every other day we're finding out about some exploit or vulnerability on iOS or OSX that have been in the wild for year(s) and nobody including Apple had any inkling of it. So, when does the Apple community suck it up and start installing some basic malware and virus utilities as a matter of course? When do we as techs (Yes, I'm talking to some of the Mac enthusiasts and Mac-Centric repair shops that frequent TN and laugh at the suggestion of AV on Mac) feel it is time to offer AV for Mac like we do for PC's? Now, is the answer.
Just on October 9th, Apple pulled multiple Apps AGAIN from the app store after being found to be MITM and SSL/TLS root cert vulnerabilities. Of course Apple denied it at first, but had to spit it out after the questions started pouring in. They still won't say what Apps... so screw all you users once again (Not like they would want you to uninstall said apps ASAP for your benefit, right? Better just not to know, the 'ol head in the sand trick!). Deny, deny, deny.
http://www.pcmag.com/article2/0,2817,2492844,00.asp
Or how about Yispectre, discovered just this October 5th, 2015:
a new iOS malware that's able to infect non-jailbroken Apple devices using enterprise certificates and private APIs. It originated in Taiwan and China and was installed through several methods, including hijacking traffic from ISPs, an SNS worm on Windows, and offline app installation.
Called YiSpecter, the malware is able to download, install, and launch apps, doing things like replacing existing apps, displaying advertisements in legitimate apps, changing Safari's default engine, and uploading user information to remote servers.
http://www.macrumors.com/2015/10/05/apple-yispecter-malware-fix-ios-8-4/
So, now we know that PRIVATE API's and CERTS are being installed - Well, that has been the argument against windows for, um, like... forever... The entire basis for the "Windows Sucks" and "MAC Rulez" threads has always basically come down to "Apple has full control, behind garden walls" and MS lets anything get in there.. Well, looks like Apple is joining the vulnerability club if you're going to allow every random private API in. This vulnerability existed for almost A FULL YEAR (AT LEAST from Dec 2014) for iOS 8.3 or lower. I might remind you that 8.3 was released April, 2015 and that there are still 10's of millions of users on 8.3 (about 8%). It wasn't until the Middle of August 2015 until 8.4 was released. Apple's "story" of "The malware was patched" seems fishy... they act like they knew about it all along but it took a security researcher at Palo Alto Networks to find and release info on the vulnerability. Also, with 8.4 came a slew of security updates which likely accidentally fixed the issue... not that Yispectre was a targeted issue.
Make no mistake... Yispectre will perform a drive-by on your device simply be visiting a webpage.. and Yispectre isn't the only one!
Then we had Xcode mid Sep, 2015 which was the infection of Apple's proprietary IDE (Integrated Development Environment) for making Apps. Basically Apple has NO security on that software... like all other IDE's have. You still have to check the MD5/SHA1 hashes on your dev files manually! Duh.. Hello, McFly! The damned IDE needs to check the MD5! The rest of the industry has been doing this for almost 20 years. Unacceptable and dangerously insecure. For a company that market's itself as security aware.. this is laughable. All the Apple fanboys came out in force: "Oh, well, the Xcode that those developers used wasn't from Apple.. it was downloaded from a Chinese server because Apple's server is too slow." - Well that's all nice and dandy, but that little "insignificant" hack infected somewhere in the neighborhood of 100's of millions of iOS devices via the "secure" App Store.
Now, to make things worse, Apple apologists always parrot "Gatekeeper, gatekeeper!" like some petulant child. Well, looky here on September 30th 2015:
Apple fail: OS X Gatekeeper exploit allows easy installation of malicious software
Not even Window's UAC would fall for that simple trick. So, basically Gatekeeper security has been a literal joke and failure too.
Wait, OSX is vulnerable at the Kernel level? Hmmm, not good.
Then we have the iOS9 lock screen bug around September 24th where any stranger can bypass the iOS lockscreen in 30 seconds using Siri. Really. Apple couldn't patch it in 9.1, that came a few days later in 9.2 - did Apple not test to see if 9.1 fixed it? Did they not test the lock screen? Pretty simple to bypass and another security "duh" mistake... don't let other user apps run when the lock screen is up. Simple security, but like Apple has been showing us.. it's just another security overlook because they assume too much.
--------------------------------------------------------------------
So let me get this straight. In the last 30 days we have learned that iOS and OSX are fully vulnerable from Code-creation, to the OS, the kernel, from the App Store to Private API's, bad certs, Man in the middle vulnerabilities, browser hijacks and drive-by's with silent installs. Basically from step 1 to the "in your hand" final step.. there's a vulnerability each step of the way. Many of these vulnerabilities have been "Out there" for some time before being discovered.
So, for the next 25-page Apple flame thread here on TN, I'm just going to point you to this post and have you explain how Apple is secure and you don't need to run any AV... 100's of millions of infected Apple users could really use an AV right about now because they don't even know they have been infected. I suspect Apple would have a conflict with that and their marketing department.. so hush hush.. wouldn't want to worry anyone over serious vulnerabilities to their information or anything.
Apple's policy for malware is to not say anything unless forced to do so. (Really, it is the policy). Now, one has to wonder, do they know and just not fix the issues.. or are they just incompetent when dealing with security? The days of security through obfuscation (a bad idea already) is over. Apple needs to get serious about security... it's way past due. What has really got me going in this post is the "secrecy in the sake of saving-face" isn't working out too well and I don't care for the practice one bit. Security issues need to be open and Apple needs to have a policy of full disclosure. I need to know what programs are infected, immediately. I don't want to use an infected program any longer than I have too and could have been proactive while Apple avoids bad publicity.
I am in no way saying Apple sucks (Well, the company does IMO for many reasons). I own a few laptops currently and had an iPad for a short period.. have had Apple desktops in the past. I say this 'cause there is always someone that want's to make a flame war with me. I'm not claiming that Windows or a PC is better on security, but in many cases a Windows PC is and can be more secure because the onus for everything Apple, is Apple, and we see where that has landed us. Augmenting your Apple with security via 3rd party apps (Not just AV, think business and corporate security) is quite a bit more challenging compared to the offerings on the PC.. so either Apple get's their sh*t together themselves or they need to allow deeper control of their OS (Never happen), due to their own lack of control.
Apple needs a comprehensive patching system in lieu of the OS minor revision update paths so they can roll patches out faster... like Microsoft! Ugh. (That was a joke, kinda!)
PS - I didn't even list all of the past 30 days vulnerabilities as this post is already long enough and these were the biggies.
Just on October 9th, Apple pulled multiple Apps AGAIN from the app store after being found to be MITM and SSL/TLS root cert vulnerabilities. Of course Apple denied it at first, but had to spit it out after the questions started pouring in. They still won't say what Apps... so screw all you users once again (Not like they would want you to uninstall said apps ASAP for your benefit, right? Better just not to know, the 'ol head in the sand trick!). Deny, deny, deny.
http://www.pcmag.com/article2/0,2817,2492844,00.asp
Or how about Yispectre, discovered just this October 5th, 2015:
a new iOS malware that's able to infect non-jailbroken Apple devices using enterprise certificates and private APIs. It originated in Taiwan and China and was installed through several methods, including hijacking traffic from ISPs, an SNS worm on Windows, and offline app installation.
Called YiSpecter, the malware is able to download, install, and launch apps, doing things like replacing existing apps, displaying advertisements in legitimate apps, changing Safari's default engine, and uploading user information to remote servers.
http://www.macrumors.com/2015/10/05/apple-yispecter-malware-fix-ios-8-4/
So, now we know that PRIVATE API's and CERTS are being installed - Well, that has been the argument against windows for, um, like... forever... The entire basis for the "Windows Sucks" and "MAC Rulez" threads has always basically come down to "Apple has full control, behind garden walls" and MS lets anything get in there.. Well, looks like Apple is joining the vulnerability club if you're going to allow every random private API in. This vulnerability existed for almost A FULL YEAR (AT LEAST from Dec 2014) for iOS 8.3 or lower. I might remind you that 8.3 was released April, 2015 and that there are still 10's of millions of users on 8.3 (about 8%). It wasn't until the Middle of August 2015 until 8.4 was released. Apple's "story" of "The malware was patched" seems fishy... they act like they knew about it all along but it took a security researcher at Palo Alto Networks to find and release info on the vulnerability. Also, with 8.4 came a slew of security updates which likely accidentally fixed the issue... not that Yispectre was a targeted issue.
Make no mistake... Yispectre will perform a drive-by on your device simply be visiting a webpage.. and Yispectre isn't the only one!
Then we had Xcode mid Sep, 2015 which was the infection of Apple's proprietary IDE (Integrated Development Environment) for making Apps. Basically Apple has NO security on that software... like all other IDE's have. You still have to check the MD5/SHA1 hashes on your dev files manually! Duh.. Hello, McFly! The damned IDE needs to check the MD5! The rest of the industry has been doing this for almost 20 years. Unacceptable and dangerously insecure. For a company that market's itself as security aware.. this is laughable. All the Apple fanboys came out in force: "Oh, well, the Xcode that those developers used wasn't from Apple.. it was downloaded from a Chinese server because Apple's server is too slow." - Well that's all nice and dandy, but that little "insignificant" hack infected somewhere in the neighborhood of 100's of millions of iOS devices via the "secure" App Store.
Now, to make things worse, Apple apologists always parrot "Gatekeeper, gatekeeper!" like some petulant child. Well, looky here on September 30th 2015:
Apple fail: OS X Gatekeeper exploit allows easy installation of malicious software
Not even Window's UAC would fall for that simple trick. So, basically Gatekeeper security has been a literal joke and failure too.
Wait, OSX is vulnerable at the Kernel level? Hmmm, not good.
Then we have the iOS9 lock screen bug around September 24th where any stranger can bypass the iOS lockscreen in 30 seconds using Siri. Really. Apple couldn't patch it in 9.1, that came a few days later in 9.2 - did Apple not test to see if 9.1 fixed it? Did they not test the lock screen? Pretty simple to bypass and another security "duh" mistake... don't let other user apps run when the lock screen is up. Simple security, but like Apple has been showing us.. it's just another security overlook because they assume too much.
--------------------------------------------------------------------
So let me get this straight. In the last 30 days we have learned that iOS and OSX are fully vulnerable from Code-creation, to the OS, the kernel, from the App Store to Private API's, bad certs, Man in the middle vulnerabilities, browser hijacks and drive-by's with silent installs. Basically from step 1 to the "in your hand" final step.. there's a vulnerability each step of the way. Many of these vulnerabilities have been "Out there" for some time before being discovered.
So, for the next 25-page Apple flame thread here on TN, I'm just going to point you to this post and have you explain how Apple is secure and you don't need to run any AV... 100's of millions of infected Apple users could really use an AV right about now because they don't even know they have been infected. I suspect Apple would have a conflict with that and their marketing department.. so hush hush.. wouldn't want to worry anyone over serious vulnerabilities to their information or anything.
Apple's policy for malware is to not say anything unless forced to do so. (Really, it is the policy). Now, one has to wonder, do they know and just not fix the issues.. or are they just incompetent when dealing with security? The days of security through obfuscation (a bad idea already) is over. Apple needs to get serious about security... it's way past due. What has really got me going in this post is the "secrecy in the sake of saving-face" isn't working out too well and I don't care for the practice one bit. Security issues need to be open and Apple needs to have a policy of full disclosure. I need to know what programs are infected, immediately. I don't want to use an infected program any longer than I have too and could have been proactive while Apple avoids bad publicity.
I am in no way saying Apple sucks (Well, the company does IMO for many reasons). I own a few laptops currently and had an iPad for a short period.. have had Apple desktops in the past. I say this 'cause there is always someone that want's to make a flame war with me. I'm not claiming that Windows or a PC is better on security, but in many cases a Windows PC is and can be more secure because the onus for everything Apple, is Apple, and we see where that has landed us. Augmenting your Apple with security via 3rd party apps (Not just AV, think business and corporate security) is quite a bit more challenging compared to the offerings on the PC.. so either Apple get's their sh*t together themselves or they need to allow deeper control of their OS (Never happen), due to their own lack of control.
Apple needs a comprehensive patching system in lieu of the OS minor revision update paths so they can roll patches out faster... like Microsoft! Ugh. (That was a joke, kinda!)
PS - I didn't even list all of the past 30 days vulnerabilities as this post is already long enough and these were the biggies.
Last edited:
