Stories
Slash Boxes
Comments

SoylentNews is people

macOS High Sierra Available—And Vulnerable to Keychain Attack

posted by Fnord666 on Sunday October 01 2017, @01:27AM   Printer-friendly
from the bite-of-the-apple dept.
News Security

"exec" writes:

Arthur T Knackerbracket has found the following story:

Apple made its latest OS update available Monday, but the release of High Sierra was tainted somewhat by the fact it comes replete with a critical vulnerability that allows an attacker to dump plaintext passwords from the macOS Keychain.

Researcher Patrick Wardle, chief security researcher at Synack, discovered the issue in early September and privately disclosed to Apple. The disclosure, however, did not preclude Apple from making High Sierra public yesterday. Wardle said in a post published yesterday that he expects a patch to be forthcoming.

The vulnerability is not exclusive to High Sierra; Wardle said he also tested it on Sierra, and that it appears El Capitan is vulnerable also.

Wardle did not provide specific information on the vulnerability, other than to say that non-privileged code or a malicious application could gain illicit access to the Keychain and steal passwords. He said the bar is set low in terms of ease of exploit.

Wardle emphasized too that an attacker would already have to be on a Mac machine in order to carry out his attack, and that the Keychain would have to be unlocked, which it is by default when the user logs in.

"Theoretically, this attack would be added as a capability or as a payload of such malware," Wardle wrote. "For example, the malware would persist, survey the system, then use this attack to dump the keychain."

-- submitted from IRC

Previously: Ad Industry “Deeply Concerned” About Safari’s New Ad-Tracking Restrictions
Ask SoylentNews: How did Your Upgrade to macOS High Sierra Go?

Original Submission

Related Stories

Ad Industry “Deeply Concerned” About Safari’s New Ad-Tracking Restrictions 115 comments

MrPlow writes:

Submitted via IRC for SoyCow5743

Apple's limits on tracking will "sabotage the economic model for the Internet."

Apple's latest operating systems for the Mac and iPhone will soon be rolling out, and with that comes new restrictions on ad-tracking in the Safari browser. Adding a 24-hour limit on ad targeting cookies is good for privacy under Apple's new "Intelligent Tracking Prevention" feature. But if you're an advertiser, the macOS High Sierra and iOS 11 Safari browsers spell gloom and doom for the Internet as we know it. The reason is because Safari is making it harder for advertisers to follow users as they surf the Internet—and that will dramatically reduce the normal bombardment of ads reflecting the sites Internet surfers have visited earlier. Six major advertising groups have just published an open letter blasting the new tracking restrictions Apple unveiled in June. They say they are "deeply concerned" about them:

The infrastructure of the modern Internet depends on consistent and generally applicable standards for cookies, so digital companies can innovate to build content, services, and advertising that are personalized for users and remember their visits. Apple's Safari move breaks those standards and replaces them with an amorphous set of shifting rules that will hurt the user experience and sabotage the economic model for the Internet.

Apple's unilateral and heavy-handed approach is bad for consumer choice and bad for the ad-supported online content and services consumers love. Blocking cookies in this manner will drive a wedge between brands and their customers, and it will make advertising more generic and less timely and useful.

The letter is signed by the American Association of Advertising Agencies, the American Advertising Federation, the Association of National Advertisers, the Data & Marketing Association, the Interactive Advertising Bureau, and the Network Advertising Initiative.

Source: https://arstechnica.com/tech-policy/2017/09/ad-industry-deeply-concerned-about-safaris-new-ad-tracking-restrictions/

Original Submission

Ask SoylentNews: How did Your Upgrade to macOS High Sierra Go? 40 comments

An Anonymous Coward writes:

The latest version of Apple's macOS operating system, macOS High Sierra, has been released. If you have upgraded your system already, how did the upgrade go? Did you encounter any problems? If you have not yet updated, why have you chosen not to?

Original Submission

This discussion has been archived. No new comments can be posted.
macOS High Sierra Available—And Vulnerable to Keychain Attack | Log In/Create an Account | Top | 2 comments | Search Discussion
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
(1)

  • (Score: 0) by Anonymous Coward on Sunday October 01 2017, @02:01AM

    by Anonymous Coward on Sunday October 01 2017, @02:01AM (#575445)

    So he gave them less than a month to patch this issue before going public, all the while knowing they were in the midst of an OS release. Why the rush? If this was Google’s itchy trigger-fingered security group releasing vulnerability info so quickly we’d lambast them.

  • (Score: 2) by LoRdTAW on Sunday October 01 2017, @02:36AM

    by LoRdTAW (3755) on Sunday October 01 2017, @02:36AM (#575456) Journal

    Ha! Silly Apple. Everyone knows blockchain is better! Wait, is there a blockchain joke in there? I'll just show myself out...

(1)