“Wardle is saying that he could put a malicious app on someone’s Mac and then use that app to get around Keychain’s security and pull out usernames and passwords programmatically,” Ritchie writes. “That means Wardle, or someone using the same exploit, would have to use a phishing attack or some form of social engineering to get the malicious app onto your Mac, then use that malicious app to go after your Keychain.”
“It’s a bad bug and one Apple absolutely needs to fix as quickly as possible,” Ritchie writes. “In the meantime, the Keychain vulnerability, isn’t something macOS users should panic about. At least not those used to following the same security best practices everyone in the industry has been talking about for years. Namely, keep Apple’s default Gatekeeper settings enabled and don’t download anything, or click on any links, you don’t absolutely trust.”
Read more in the full article here.
MacDailyNews Note: To make sure Apple’s Gatekeeper settings are enabled, launch System Preferences, click the General tab, and under “Allow apps downloaded from:” check “App Store.”