SoylentNews is people
SoylentNews
Submission Preview
macOS High Sierra Available—And Vulnerable to Keychain Attack
Story automatically generated by StoryBot Version 0.2.2 rel Testing.
Storybot ('Arthur T Knackerbracket') has been converted to Python3
Note: This is the complete story and will need further editing. It may also be covered
by Copyright and thus should be acknowledged and quoted rather than printed in its entirety.
FeedSource: [Threatpost]
Time: 2017-09-27 12:03:02 UTC
Original URL: https://threatpost.com/macos-high-sierra-available-and-vulnerable-to-keychain-attack/128149/ [threatpost.com] using UTF-8 encoding.
Title: macOS High Sierra Available—And Vulnerable to Keychain Attack
--- --- --- --- --- --- --- Entire Story Below --- --- --- --- --- --- ---
macOS High Sierra Available—And Vulnerable to Keychain Attack
Arthur T Knackerbracket has found the following story [threatpost.com]:
Apple made its latest OS update available Monday, but the release of High Sierra was tainted somewhat by the fact it comes replete with a critical vulnerability that allows an attacker to dump plaintext passwords from the macOS Keychain.
Researcher Patrick Wardle, chief security researcher at Synack, discovered the issue in early September and privately disclosed to Apple. The disclosure, however, did not preclude Apple from making High Sierra public yesterday. Wardle said in a post published yesterday that he expects a patch to be forthcoming [patreon.com].
The vulnerability is not exclusive to High Sierra; Wardle said he also tested it on Sierra, and that it appears El Capitan is vulnerable also.
Wardle did not provide specific information on the vulnerability, other than to say that non-privileged code or a malicious application could gain illicit access to the Keychain and steal passwords. He said the bar is set low in terms of ease of exploit.
Wardle emphasized too that an attacker would already have to be on a Mac machine in order to carry out his attack, and that the Keychain would have to be unlocked, which it is by default when the user logs in.
“Theoretically, this attack would be added as a capability or as a payload of such malware,” Wardle wrote. “For example, the malware would persist, survey the system, then use this attack to dump the keychain.”
The macOS Keychain is a critical security component for authentication. It’s an encrypted container that stores system usernames and passwords as well as credentials for applications and web-based services. It can also stored payment card data, banking PINs and other credentials. Accompanying Keychain is Keychain Access, a password management application that stores credentials in the keychain, saving the user from having to enter them over and over on the web.
Wardle said that while apps can have access to Keychain data, they should not have access to the entire system.
“Obviously random apps should not be able to access the entire keychain and dump things like plaintext passwords. In fact, even signed Apple utilities (i.e. /usr/bin/security) that are designed to legitimately access the keychain explicitly require user approval or most authenticate (with the user’s password) before they are allowed to retrieve sensitive keychain data,” Wardle wrote. “This of course is very wise security decision on Apple’s part.”
Wardle recommends that users be extra vigilant about running random applications from email and the web, in particular until a patch is available.
Wardle said his disclosure earlier this month included a proof-of-concept exploit.
Apple said in a statement provided to Threatpost: “macOS is designed to be secure by default, and Gatekeeper warns users against installing unsigned apps, like the one shown in this proof of concept, and prevents them from launching the app without explicit approval. We encourage users to download software only from trusted sources like the Mac App Store and to pay careful attention to security dialogs that macOS presents.”
Yesterday’s High Sierra release also included patches for 43 vulnerabilities [apple.com], including several code execution and denial of service bugs. Apple also made public yesterday security releases for macOS Server 5.4 [apple.com] and iCloud for Windows 7.0 [apple.com].
So since this seems to be on other versions of Mac os, should I just install high sierra? Or wait?
The researcher advises installing High Sierra. There are other important patches in the update, and a fix is coming for this one. Not much is known about this vulnerability, other than it exists.
Alrighty then , looks like I will be installing this update. Thank you.
Your email address will not be published. Required fields are marked *
Apple said that macOS’ native Gatekeeper security feature would protect against a Keychain attack disclosed this week, but researcher Patrick Wardle said that won’t help against Mac malware signed with an Apple certificate.
The Equifax data breach saga so far, a Google HTTPS warnings paper, cryptocurrency mining at the Pirate Bay, and bringing machine learning to passwords are all discussed.
A deep-learning network known as a GAN has been applied to passwords, and a tool called PassGAN significantly improves the ability to guess user passwords over tools such as Hashcat or John the Ripper.
Hi folks! As promised, herewith, more from the best stretch of the Argentina-Brazil border. There’s a good reason why it’s ‘falls’ – in the plural. Apart from the obvious fact ...
We're already used to the fact that complex cyberattacks use 0-day vulnerabilities, bypassing digital signature checks, virtual file systems, non-standard encryption algorithms and other tricks. Somet...
Find out how well you know important cybersecurity terms and concepts
Michael Mimoso [soylentnews.org]
Tom Spring [soylentnews.org]
Christopher Brook [soylentnews.org]
-- submitted from IRC
