Apple Releases macOS High Sierra; Ex-NSA Hacker Publishes Zero-Day

rgMekanic

[H]ard|News
Joined
May 13, 2013
Messages
6,943
Patrick Wardle a former NSA hacker showed off a zero-day exploit in macOS High Sierra that allows an attacker to steal every password stored in the Keychain without needing a master login password. He reported the bug to Apple earlier this month, but the patch did not make it into the release of High Sierra today.

Kinda crazy that Apple would let an exploit like this walk out the door. Even more crazy is Wardle found another zero-day exploit in High Sierra earlier this month, that one showing that the secure kernel extension loading feature is vulnerable to bypass. He also has released a video of the keychain hack, which can be found here

"As a passionate Mac user, I'm continually disappointed in the security of macOS," he said. "I don't mean that to be taken personally by anybody at Apple -- but every time I look at macOS the wrong way something falls over. I felt that users should be aware of the risks that are out there I'm sure sophisticated attackers have similar capabilities. Apple marketing has done a great job convincing people that macOS is secure, and I think that this is rather irresponsible and leads to issues where Mac users are overconfident and thus more vulnerable."
 
Just run Qubes OS.

It's a tradeoff between simplicity and security. Why operating systems can't be compartmentalized, because of user functionality, I'll never understand.
 
I can say the same thing about Windows too.

Sure you can. But there's one big difference between the two: there'll be a heck of a lot more developers working on a fix for Windows, then there will be for the Mac OS.
 
The difference between a security exploit on Windows and an exploit on MacOS is that when it occurs on Windows it's a damn close to a world-ending kind of thing because Windows is used on so many systems around the world whereas on MacOS the target is not nearly as huge.
 
I could only imagine what this should do to their stock prices. Kind of makes you wonder why its not headline news or front page.
 
I think all the security jibber jabber falls on deaf ears for most of the MAC crowd they don't "understand" computers in the first place (might be some exceptions). So when Apple is vocal and say no security issues why would they ever doubt that ?

These days it is all about perception rather then substance. One thing does bother me the releasing of the zero day exploit is that .public warning or just a way to counter other parties already abusing this ?
 
I think all the security jibber jabber falls on deaf ears for most of the MAC crowd they don't "understand" computers in the first place (might be some exceptions). So when Apple is vocal and say no security issues why would they ever doubt that ?

These days it is all about perception rather then substance. One thing does bother me the releasing of the zero day exploit is that .public warning or just a way to counter other parties already abusing this ?


He did not release the exploit. He posted a video of his exploit in action. He may release it though. Step one is to notify. If not patched, step two is to show off PoC. Still no patch, step three is to hack the planet.
 
The difference between a security exploit on Windows and an exploit on MacOS is that when it occurs on Windows it's a damn close to a world-ending kind of thing because Windows is used on so many systems around the world whereas on MacOS the target is not nearly as huge.


Indeed, if all the Macs in the world disappeared overnight, the world would happily continue.
 
But Macs don't get viruses. Only second class pc users get viruses. I seen the commercial. FIREWALL !
 
Indeed, if all the Macs in the world disappeared overnight, the world would happily continue.

But I would be displeased to have lost 15TB of ripped movies. I thought ZFS was supposed to protect from spontaneous dimensional expulsions? I specifically asked about that scenario and was assured not to worry about it!
 
Back
Top