“The zero-day vulnerability in macOS’s Keychain has been addressed by Apple, along with some other issues in High Sierra,” Stephen Withers reports for iTWire. “But other recent versions of the operating system are still vulnerable.”
“Just before High Sierra was released, security researcher Patrick Wardle disclosed the existence of a vulnerability that allowed an application to extract in plaintext form all the passwords stored in a keychain,” Withers reports. “Despite Wardle’s detailed private notification, Apple went ahead and released High Sierra with this vulnerability. At least it wasn’t remotely exploitable, but over the years some Mac users have been taken in by various Trojans, so there was a practical route for exploiting the vulnerability.”
“Apple released macOS High Sierra 10.13 Supplemental Update overnight to patch the vulnerability, crediting Wardle as the discoverer,” Withers reports. “According to Wardle, macOS Sierra 10.12 is also vulnerable, and ‘El Capitan appears vulnerable as well,'” Withers reports. “There is no indication from Apple that a fix will be forthcoming for those versions. The company’s position — which can only be inferred from what it does and does not release — seems to be that if a newer version of an operating system has the same hardware requirements as its predecessor, it feels no compulsion to offer a patch for the latter.”
Read more in the full article here.
MacDailyNews Take: Time to upgrade*!
*If your needed applications are compatible. If not, be careful to the point of perhaps not using Keychain to store your passwords.
SEE ALSO:
Apple releases macOS High Sierra 10.13 Supplemental Update with fix for APFS Disk Utility bug and Keychain vulnerability – October 5, 2017
SMDH: “ Time to upgrade*!
*If your needed applications are compatible. If not, be careful to the point of perhaps not using Keychain to store your passwords.”
Apple support for software and hardware is a joke.
They are probably the only major hardware/software company that gets away with this crap.
Fire Tim Cook!
Apple sure knows how to set its priorities.
High Sierra runs (if somewhat slowly) on a late 2009 iMac. How many other companies are still supporting 8-year-old hardware? How many users have a non-Apple computer that is 8 years old and still in regular use? How do the other companies get away with their crap?
Most real companies signed leasing agreements long ago. I can imagine there ARE some mission critical systems on some specific old hardware, but they build up the infrastructure around it to make the risk manageable.
Remember, what’s been “fixed” didn’t even need to be fixed if you could trust that human beings would not run applications AND provide security clearance to apps called “yourhusbandischeating” that was attached to a spam email. This is truly one of those “people are idiots, so yeah, we’ll fix it” moments.
Can’t help imagining what MDN’s take would be if this were ChromeOS/Android/Microsoft and the advice was “for now, just don’t use a core part of the OS.”
I just finished writing a reply to someone here regarding the Keychain exploit, providing detail sources. I might as well post them in this thread as well.
This exploit is known as CVE-2017-7150. Here is what Apple stated about the exploit in their document “About the security content of macOS High Sierra 10.13 Supplemental Update”:
Security
Available for: macOS High Sierra 10.13
Impact: A malicious application can extract keychain passwords
Description: A method existed for applications to bypass the keychain access prompt with a synthetic click. This was addressed by requiring the user password when prompting for keychain access.
CVE-2017-7150: Patrick Wardle of Synack
The official CVE description is still being kept secret for the moment. I strongly suspect that’s due to the fact that other versions of macOS have not yet been patched.
Here is Patrick Wardle’s single post about the exploit, as found on Twitter. Note that it provides a link to a CLI demonstration of the exploit, without providing any further methodology. Also note that Patrick points out in the tweet’s comment thread that this exploit exists in ‘all’ versions of macOS. I hope that’s simple and clear. It is not limited to 10.13 High Sierra.
Apple needs to address this in Sierra and El Capitan, at least.
And Mavericks!
This is effing BS Apple!!! Fix your NSA security holes!
Can this exploit (NSA backdoor) be exploited over an internet connection or do you have to have physical access to a computer?
You have to execute an untrustworthy application. As long as you don’t run the programs random people send you and THEN give that program admin rights by typing in your password, you’re fine.
When I saw the 10.13 update in the App Store app the other day, I went ahead and installed it. This was a mistake. Once installed, I no longer had internet access, even though I had solid connections to my routers and modem through wireless (Apple routers) and Ethernet back to my Mac. iOS devices could connect to the Internet through the same routers. The Mac was getting, and could renew an IP address. I thoroughly trouble shot the connection, and finally came to the conclusion that the update corrupted something deep level on the Mac (and, yes, I had zapped the PRAM (NVRAM, and checked out the Fusion drive after booting into Safe Mode). I ended up having to restore from a Time Machine backup earlier in the day (before the update was installed). As I have a LOT of data, this took about 8 hours. Once restored, the Internet connection worked fine. What was curious is that the “about this Mac” info showed that I already had 10.13 installed. A couple years ago I saw a lot of the App Store app updates for Apple software asking to be reinstalled over and over again (I’d install successfully, then the update request would reappear in the app. (This was a known problem at the time). I don’t know if Apple is having this same problem again or what. I know that during any update it is possible for a corruption to happen (a glitch during download, etc.), but I am wary to apply this update again, especially when the Mac is telling me that I already am using 10.13.
Anyone else have similar problems?
I do see that this is a supplemental update to 10.13, the latter having come out Sept 25th. With my former experience trying updating the supplemental, I am still wondering whether to update again – I can’t lose a day’s use of the computer, if it needs to be restored again. I wonder why they didn’t call this 10.13.1.
Again, anyone else have problems with this supplemental update?