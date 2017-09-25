Apple Releases macOS High Sierra; Ex-NSA Hacker Publishes Zero-Day 21
Apple today released the newest version of its operating system for Macs, macOS High Sierra, to the public. macOS High Sierra is a free download, and offers a range of new features and improvements including the new Apple File System, and support for High Efficiency Video Encoding (HEVC) for better compression without loss of quality, and HEIF for smaller photo sizes. Zack Whittaker, reporting for ZDNet: Patrick Wardle, a former NSA hacker who now serves as chief security researcher at -- Synack, posted a video of the hack -- a password exfiltration exploit -- in action. Passwords are stored in the Mac's Keychain, which typically requires a master login password to access the vault. But Wardle has shown that the vulnerability allows an attacker to grab and steal every password in plain-text using an unsigned app downloaded from the internet, without needing that password.
WTF (Score:1)
Let's retire 'drop' (Score:5, Insightful)
Re: (Score:2)
Re:Let's retire 'drop' (Score:4, Informative)
Seems odd that two only slightly related news stories are concatenated into a single
/. post.
The keychain hack seems to be working on any Mac OS, not just High Sierra.
Re: (Score:2)
Isn't this a known "feature" of Keychain? Pathetic and problematic, but well known.
I was trying to script it myself to export Keychain data to something more secure a year or two ago.
Re: (Score:2)
Every time i see the word 'drop' in this context, I have flashbacks to "All your base are belong to us".
Ex: "Apple set us up the MacOS Hgh Sierra"
That didn't take long (Score:2)
It seems inevitable that security holes will be in modern systems. We can argue about the why, or how this system is better than that system. But there is seemingly no end to vulnerabilities simply because of the complexities of modern systems. Too many variables, and it only takes one hole in the fence for the raptors to get through.
Re: That didn't take long (Score:2, Insightful)
You should continue posting this into the windows and Android threads too.
That said, how the hell do you access an encrypted storage area without the key? This sounds like a major fail in design and not a "bug" in the usual sense
Re: (Score:2)
Re: (Score:2)
That said, how the hell do you access an encrypted storage area without the key?
. . . oh . . . with the right National Security Letter . . . you would be surprised at what all you can access, with the friendly help of the company that produced the device.
If a company does not cooperate (collaborate) with the US spooks . . . the CEO wakes up with a bloody horse head in bed.
So if the spooks have ways of accessing "inaccessible" stuff . . . it will eventually get leaked, and someone else can do it, as well.
Re: (Score:2)
Lets be clear this affects older OS X as well (Score:5, Informative)
This hack affects High Sierra as well as older versions according to the article. The title of this implies that this is specifically something related only to the new OS.
Big security flaw that needs to be fixed (Score:3)
However the user does need to download and run the app - so the current iteration isn't problematic (nor is it intended to be). And, since it's unsigned, I'm assuming it won't work for most users by default - unless, like me, you change that setting.
I'm certain we'll see this weapon used soon enough, though... and we regularly do see users get manipulated into running things they shouldn't, even when lots of warning boxes pop up along the way. Plus it's always possible there's another way to exploit the flaw which doesn't have to run under the specific user's account.