SoylentNews is people
SoylentNews
Arthur T Knackerbracket has found the following story:
Apple made its latest OS update available Monday, but the release of High Sierra was tainted somewhat by the fact it comes replete with a critical vulnerability that allows an attacker to dump plaintext passwords from the macOS Keychain.
Researcher Patrick Wardle, chief security researcher at Synack, discovered the issue in early September and privately disclosed to Apple. The disclosure, however, did not preclude Apple from making High Sierra public yesterday. Wardle said in a post published yesterday that he expects a patch to be forthcoming.
The vulnerability is not exclusive to High Sierra; Wardle said he also tested it on Sierra, and that it appears El Capitan is vulnerable also.
Wardle did not provide specific information on the vulnerability, other than to say that non-privileged code or a malicious application could gain illicit access to the Keychain and steal passwords. He said the bar is set low in terms of ease of exploit.
Wardle emphasized too that an attacker would already have to be on a Mac machine in order to carry out his attack, and that the Keychain would have to be unlocked, which it is by default when the user logs in.
"Theoretically, this attack would be added as a capability or as a payload of such malware," Wardle wrote. "For example, the malware would persist, survey the system, then use this attack to dump the keychain."
-- submitted from IRC
Previously: Ad Industry “Deeply Concerned” About Safari’s New Ad-Tracking Restrictions
Ask SoylentNews: How did Your Upgrade to macOS High Sierra Go?
(Score: 0) by Anonymous Coward on Sunday October 01 2017, @02:01AM
So he gave them less than a month to patch this issue before going public, all the while knowing they were in the midst of an OS release. Why the rush? If this was Google’s itchy trigger-fingered security group releasing vulnerability info so quickly we’d lambast them.