Apple has been plagued by several security flaws in the past several months. An iOS flaw discovered last month called “Man-in-the-Middle” was found, and an OS X Yosemite security bug known as “Rootpipe” discovered last October still persists in the operating system despite an update aimed at fixing the flaw.
The “Man-in-the-Middle” works by allowing an attacker to intercept data (passwords, bank information, etc.) when connected to the same wireless network. Many attackers will use a fake Wi-Fi hotspot that fails to check for security certificates to exploit the flaw. Many iOS apps use an open-source networking code called AFNetworking to establish secure connections to the server, and the previous version of code contained this security flaw. Although a fix was introduced in the new version, released three weeks ago, many iOS apps haven’t updated their code to patch the flaw. Still-vulnerable apps include the Alibaba.com mobile app, Citrix OpenVoice Audio Conferencing, and Movies by Flixter with Rotten Tomatoes.
The “Rootpipe” flaw allows attackers to gain full access (commonly known as root access) to a system via a hidden backdoor through the system preferences. In order to exploit the flaw, an attacker must have previously been granted access (either physical or remote) to the machine. Although the flaw has existed on OS X devices since 2011, it was just discovered this past October. Apple claimed that the security flaw was patched in the most recent OS X Yosemite update. Security researcher Patrick Wardle recently successfully exploited the vulnerability on a machine running the latest update. Although he hasn’t revealed the technical details of the exploit, it appears as if it still exists.
Apple has yet to comment on the remaining security flaws.