Friday, November 14, 2014

Apple Downplays 'Masque Attack' Security Vulnerability, Why We Aren't Buying It!

Apple is downplaying the risks of a new security vulnerability in iOS that, thanks to security researchers made big waves this past week. The security flaw, dubbed 'Masque Attack', was first discovered and reported by security firm FireEye.

Since those initial reports we've seen several posts and article detailing the new flaw and warning users of the extreme risks associated with it. In short 'Masque Attack' allows attackers to create a fake version of a legitimate app, which sits on top of the real app and siphons off data without the users noticing. The risks are legitimate ones and could potentially become a major issues for users both in the personal private sector and the enterprise level where data breaches are big business.

However, the security flaw apparently isn't raising any eyebrows at Apple. In their response, released to iMore, Apple goes so far as to stating that the Masque Attack isn't really a flaw at all, and that it's 'not aware' of anyone who's actually been affected by the attack.

Apple believes that since the the 'attack' requires the user to first follow a a link, then allow 3rd party apps to be installed by click past an iOS pop-up warning people about downloading malicious apps that users will be safe!

Unfortunately if history tells us anything we know this simply isn't true! Windows and Android users alike have ignored these warnings for years. Not to mention these types of malware attacks are hardly new to Apple users, and in those cases we again saw users willing to overlook those warnings and install malicious packages to their OSX machines.

It would appear as though Apple has some serious misconceptions about security and the ability of malware creators to to implement socially engineered and targeted attacks. Malware has always used legitimate looking emails, web addresses or other legitimate looking means to infiltrate an unsuspecting users machine. And yes in almost all cases it does require end user engagement to become installed. This is how malware has worked, and extremely successfully might I add, for years.

So while Apple may want to down plays this as not a big deal, it shouldn't be, and as always users should be extremely vigilant as to the sites and services they are using and emails they are viewing. Make sure you take the time and read and verify any and all warnings you get from your devices, especially security warnings,

No comments:

Post a Comment

All comments will be moderate for content, please be patient as your comment will appear as soon as it has been reviewed.

Thank you