“The zero-day vulnerability in macOS’s Keychain has been addressed by Apple, along with some other issues in High Sierra,” Stephen Withers reports for iTWire. “But other recent versions of the operating system are still vulnerable.”
“Just before High Sierra was released, security researcher Patrick Wardle disclosed the existence of a vulnerability that allowed an application to extract in plaintext form all the passwords stored in a keychain,” Withers reports. “Despite Wardle’s detailed private notification, Apple went ahead and released High Sierra with this vulnerability. At least it wasn’t remotely exploitable, but over the years some Mac users have been taken in by various Trojans, so there was a practical route for exploiting the vulnerability.”
“Apple released macOS High Sierra 10.13 Supplemental Update overnight to patch the vulnerability, crediting Wardle as the discoverer,” Withers reports. “According to Wardle, macOS Sierra 10.12 is also vulnerable, and ‘El Capitan appears vulnerable as well,'” Withers reports. “There is no indication from Apple that a fix will be forthcoming for those versions. The company’s position — which can only be inferred from what it does and does not release — seems to be that if a newer version of an operating system has the same hardware requirements as its predecessor, it feels no compulsion to offer a patch for the latter.”
Read more in the full article here.
MacDailyNews Take: Time to upgrade*!
*If your needed applications are compatible. If not, be careful to the point of perhaps not using Keychain to store your passwords.