Apple releases Mac OS X El Capitan; two vulnerabilities reported

Apple released the latest version of Mac OS X on September 30, called ‘El Capitan’. It says that the upgrade has been built on the cutting edge features and beautiful design introduced in the previous version, Yosemite, and aims to refine the experience and improve performance in “lots of little ways that make a big difference.”

Some key features include:

• Simplified working in multiple apps simultaneously
• Metal for Mac provides faster and more fluid graphics performance in games, high performance apps and much more
• Split View that automatically fills the screen with two apps that user chooses
• Mission Control simplifies seeing and organising everything that is opened on Mac. With a single swipe, all the windows are arranged in a single layer on the desktop with nothing hidden or stacked
• Spotlight is more flexible and smarter in El Capitan. It delivers results for weather, sports, stocks, web video and transit information. Its window can be resized and moved anywhere on the desktop
• Improved screen support and swipe gestures in Mail
• Improved Photo app with enhanced organization tools and faster performance
• New system fonts and improved input methods make Chinese and Japanese text more beautiful to read and easier to write on a Mac

Apple says OS X El Capitan “makes Mac more fluid and responsive-up to 1.4 times faster app launch, up to 2 times faster app switching, up to 2 times faster display of first mail messages and up to 4 times faster PDF opening in preview”.

On the flipside, there are two critical flaws, residing in security tools designed to prevent attacks, that according to researchers leave users open to password theft and malware infection, Forbes reported.

Patrick Wardle, head of research at bug hunting business Synack, says that one problem with the latest version is that it allows attackers to completely evade Apple’s Gatekeeper technology. He told Forbes his findings prove Gatekeeper futile when confronted with a smart hacker, “even where security-minded users have selected to only accept downloads from the vetted Apple App Store.”

“Gatekeeper has one job: to block unauthenticated code coming from the internet. We’ve completely bypassed this. To me, Gatekeeper is no obstacle at all,” Wardle told Forbes. “It provides some protection against lame adversaries. But I’m sure more advanced attackers have already figured this out.”

The second problem, residing in the Mac OS X Keychain, was reported in June by researchers from Indiana University Bloomington, Peking University and the Georgia Institute of Technology, and is still unfixed. The keychain contains authenticating data, including passwords, tokens and keys for apps running on the operating system.

“The researchers found they could poison the Keychain via an unauthorized application to steal that data. They were also able to delete that information. In their proof of concept, the researchers were able to nab authenticating tokens for iCloud and Facebook”, Forbes reported.