Sure but Apple is not alone in needing outsiders to find bugs like this, its an industry wide problem. All the big players have bug bounties for this kind of thing, none of them can find them all in house.
Last edited:
Got a tip for us?
Let us know
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
macOS High Sierra Vulnerability Allegedly Allows Malicious Third-Party Apps to Access Plaintext Keychain Data
- Thread starter MacRumors
- Start date
- Sort by reaction score
Sure but Apple is not alone in needing outsiders to find bugs like this, its an industry wide problem. All the big players have bug bounties for this kind of thing, none of them can find them all in house.
Apple has been supporting macOS with security updates for about a year after they're replaced. Of course I update as soon as anything becomes unsupported.
[doublepost=1506437970][/doublepost]
Even with admin privileges, can it? I don't remember. Doesn't seem like it should. Plenty of things ask for admin privileges, usually because they have to do one little thing that requires it.
So even if you use Safari and don't allow it to save website login and passwords, is Keychain still storing your passwords even if you say NO? I'm confused as to what Keychain does and how it works.
Doesn't look like he's releasing enough details for an attacker to use the exploit.
[doublepost=1506438259][/doublepost]
When it's locked, it seems that nothing but your keychain password can unlock it. By default you use the "login" keychain that's locked with the login password, and it unlocks when you log in, but if you change your login password without updating that (e.g. through single user mode or by transferring the keychain files), login won't unlock it.
Even when "unlocked," there are still additional permissions required to read it, and it prompts the user for that. Anything that gets around that is considered a vulnerability. TBH I don't know exactly how the second part works and think it's unnecessarily confusing for a user who wants to know what permissions they're granting.
Last edited:
when i click on about this mac > software update, it doesn't show high sierra option .. i know i can manually download but why isn't it showing up as an update? ive only been using mac for a year .. not very proficient in mac os
The thing is, malicious hackers will almost certainly have cottoned on just as quickly as this guy did. Making it public means it goes up Apple's priority list to fix, which is a good thing.
Thereby exposing tens of millions of people. He even acknowledges himself that Apple hasn't had enough time to patch it:
[doublepost=1506446059][/doublepost]
No. This security flaw has been around for years, and nobody found it until now. There are decades-old security flaws lurking in all sorts of code.
Open the App Store and go into Preferences and select "Install macOS updates" under the "Automatically check for updates" section.
Not sure if it applies to new version updates, but point releases upgrade jus fine.
It's not selected by default as many people prefer to control when their computers are upgraded.
There is a LOT companies know about that doesn't stop them releasing damaging hardware/software. A lot of companies also sail so close to the wind that it's only a matter of time before a problem presents itself.
Precisely! If their driver requires you to allow that company access to privileged areas of your system to use it, then when you allow it, it should be with the understanding of the risks. If the risk is not understood (and generally it’s not) then it generally shouldn’t be done. There are companies making millions and billions of dollars every year without requiring admin rights for an installation (both hardware and software), so it far more the rule rather than the exception.
A macOS system running a third party system level addition is less secure than one that isn’t. For each addition, you’re that much less secure. It may not feel like it because you feel you can trust the vendors, BUT hackers that attack developer code bases do so BECAUSE they know people trust the source... if they can get in there, they will be deployed to hundreds/thousands of computers with admin permissions.
[doublepost=1506459831][/doublepost]
Apple set the priority when he told them about it (This is assuming that it wasn’t a bug already slated to be fixed. We only have his word to go on that Apple didn’t know about it.). At that point, it was going to be fixed on their timetable. That timetable hasn’t changed, they won’t be rushing out a release for this. It’ll be covered in the release it’s already planned to be completed in. SO, him standing in a pulpit preaching about an issue that’s NOT even that severe is all about self-promotion.
Some people like to promote themselves with he pretense that “I’m doing it for YOU!” Those with integrity usually don’t. Especially not with something that is essentially clickbait.
[doublepost=1506460824][/doublepost]
My rule of thumb for “how serious this is” always starts with “Am I required to interact and provide my admin credentials”. If so, then it’s not serious BUT that could be because I remember stories of systems being compromised with no input from the user. That, to me, is serious. Anything that counts on a user to make it work... well, that’s ALL exploits. You wouldn’t say that being able to delete a file that your placed in the trash is a serious bug just because I could coerce a user into deleting all their photos.
Are you saying that a developer signed app downloaded from outside the App Store would NOT bring up the “This app was downloaded from the internet” dialog that has to be dealt with?
My point exactly.
[doublepost=1506462032][/doublepost]
See, you’re thinking about this from the wrong angle. Instead of the “I am a responsible security researcher” angle think more about the “If I can get this to go viral, my name will be EVERYWHERE!” angle.
THEN it makes total sense
Maybe if the AppStore was the only way of obtaining apps, developers would write code in a compatible fashion? Right now, there is no incentive for them to change their way of thinking/ programming.
[doublepost=1506468815][/doublepost]
Well, this bug also affects your system. Secondly, you're likely affected by a whole heap of bugs fixed by High Sierra. Being 1 year behind is never a good thing.
He didn’t expose anyone to anything, except the awareness that a vulnerability exists. macOS users are exposed to the vulnerability, with or without the announcement that it exists.
How can I downvote you? You are totally wrong. Do you realize that all it needs to sign an app is $99/year membership? There is no app review for macOS apps like it is for iOS. Anyone can sign any executable. If you pay your membership, you can sign an infected executable, and release it.
Buuuut, you can release what you want. If no one runs it, then it's not a very good exploit. Plus on my computer, downloading trusted signed software from the internet means you get a dialog saying "Hey, you're downloading this from the internet, are you SURE buddy?" Then you have to go make some settings changes before it'll actually install AND it will ask for your password.
Your point is...?
[doublepost=1506481216][/doublepost]
Which is enough...
Which makes it far more likely that people will find it and exploit it. This is why there are disclosure policies.
Are you off your nut? So everyone would be exposed for 90 days or until Apple got off their buttocks to fix this - really?
This security hole has existed for years. Notifying the public of its existence without giving the vendor a chance to close it causes more harm than good.
E.g., Google has a policy of giving third parties 90 days' notice before disclosing a hole to the public.
Around for years? Is this true? Does this mean that Sierra and previous versions of macOS have this flaw, too?
On a related High Sierra update question - is it possible to update without changing over to AFS, the new file system? I don't have an SSD installed, and it seems like they're advising against AFS on anything but that.
If you upgrade to High Sierra, the filesystem change is included. You can't update to HS without getting the new filesystem.