Apple has yet to patch a major vulnerability that they have known about since January 27 and was exposed at Hack in the Box last week. Using software exposed yesterday at Black Hat Asia, an attacker can swap out legitimate versions of apps, developed with the said certificate, in order to spy on users and gain elevated privileges on the device that expose contacts, messaging, photos, the microphone and more. There are more details to the story here: https://wp.me/p3AjUX-uNh. Here to comment on this news is security expert Kevin Bocek, Chief Security Strategist at Venafi.
Kevin Bocek, Chief Security Strategist, Venafi:
This attack shows just how powerful certificates have become as potential weapons. Cryptographic keys and digital certificates form the foundations of trust online and enable our software and devices to whether something should be trusted or not. Issuing free unvalidated Apple certificates is now a fast-track to enabling malware to installed. There are already well over 20 million malware samples authenticated by digital certificates. Bad guys know what powerful weapons digital certificates have become. It’s past due that we learn from our human immune system and apply that to the digital world to know which certificates should be trusted and who is friend or foe.”
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.