Apple has just released a server-side patch for the Mac App Store to block malicious apps with sandbox configuration issues, and secure app data from recently discovered XARA exploits (aka unauthorised cross-app resource access) that are known to hijack iCloud Keychain passwords and other confidential data on Mac OS X and iOS.
The XARA exploits have recently come to light when researchers at Indiana University, Georgia Tech and China's Peking University disclosed their paper titled Unauthorised cross-app resource access on Mac OS X and iOS, to the public.
An Apple spokesperson has recently told iMore that the company is already working on additional fixes for the XARA exploits on both iOS and OS X, while also discussing the vulnerabilities with researchers to investigate the claims in their research paper.
Here is what the Apple spokesperson told iMore about the company's plans to tackle this major zero-day security flaw, which stems from Keychain's access control lists, URL schemes and OS X's app containers:
Although Apple has issued a major security fix for the zero-day flaw with Mac App Store, there are other untested vulnerabilities in the way third-party or unsigned apps communicate in OS X and iOS.
Consequently, significant structural changes in the architectural design of the software is essential to terminate or patch up all existing exploits with untrusted apps from unknown developers in iOS and OS X.
Hence, all iOS and OS X users are advised against downloading stuff from third-party developers with uncertified or untrusted apps.
As a workaround, users can ensure safe app installation on OS X by enabling a small in-built security feature that will prevent installation of non-signed apps from unknown/uncertified sources:
Go to System Preferences > General tab > Security & Privacy pane and tick the checkbox that reads: "Mac App Store and identified developers".