macOS High Sierra Vulnerability Allegedly Allows Malicious Third-Party Apps to Access Plaintext Keychain Data

[M.PaulCezanne]

The vulnerability is effectively the same as contacting a user and asking them to email you your passwords, given all that would need to occur to install the exploit.
[doublepost=1506374848][/doublepost]

Yet you know what you are installing; you can't always save a user from themselves.
[doublepost=1506374955][/doublepost]

No reason to use anything outside the App Store or not from a trusted vendor unless it's something I've written myself.

I think I know what I'm installing. If I'm spoofed, I'm in real trouble.

Lots of people are telling us to download only Mac App Store sw. I and lots of others are saying that's pretty much impossible, and if you're outside the store, you have to use your password.

 

[kucharsk]

For the majority of OSX users (you know, the ones that surf the web, check email, and play a few games) it’s ENTIRELY realistic. And it’s not like what Apple asks from Developers is onerous, it’s that what the developers have decided to do as a business model is do something that generally shouldn’t be done.

Like Rogue Amoeba and Audio Hijack. I love it and use it every now and again, but, no, you shouldn’t insert a third party into the trusted audio stream and send the output elsewhere (for a malicious application, “elsewhere” could be some pretty bad places). However, there are people that want to do this and are willing to pay money to reduce the security of their system for a moment (and TRUST that Rogue Amoeba hasn’t gotten hacked such that malicious code is in their delivery) for the ability to do so.

That's precisely it - even if you do do it, Rogue Amoeba is a trusted vendor.

To just allow random applications access to your system without a clue to their provenance is, I'm convinced, not something most users would do.
[doublepost=1506375292][/doublepost]

I think I know what I'm installing. If I'm spoofed, I'm in real trouble.

Then be sure to verify your software.

For example, Adobe tells me to update Flash, but I always download it from Adobe myself; I never "click to install."

 

[Unregistered 4U]

Given Apple's past behavior, he probably did and they probably threatened to sue him into not exposing the flaw.

From the description of the vulnerability, I’d imagine it was more like:
“Oh, another one of these ‘IF THE USER RUNS THIS APPLICATION AFTER GIVING IT ADMIN PRIVILEGES, IT CAN DO THINGS THAT ADMINS CAN DO!!” Put it on the bottom of the pile and we’ll get around to it after we’ve fixed these 4 other security issues where a system can be affected WITHOUT an admin’s permission”

Might not be, of course, but for anyone that’s been in development for the last several years, you know that most everything that needs to be done gets prioritized and worked according to importance. As long as a user doesn’t disable GateKeeper, they’re fine here, so I can see how it would be outprioritized.

 

[Ries]

The vulnerability is effectively the same as contacting a user and asking them to email you your passwords, given all that would need to occur to install the exploit.
[doublepost=1506374848][/doublepost]

Yet you know what you are installing; you can't always save a user from themselves.
[doublepost=1506374955][/doublepost]

No reason to use anything outside the App Store or not from a trusted vendor unless it's something I've written myself.

This has nothing to do with "Outside the app store". This exploit can easily be included in an app store app and none would be the wiser. Get a stolen credit card, buy an Apple account, put exploit in open source app, re-skin it bit and viola, collect accounts from unsuspecting users.

 

[Stella]

I speak for myself, not others.

For the majority of OSX users (you know, the ones that surf the web, check email, and play a few games) it’s ENTIRELY realistic.

<snip rest>

 

[ryxn]

Apple's advice is only use software that Apple approves of, sells you, and takes a 30% cut of.

If you think it's okay to use a computer that way, the iPhones are over there ---->.

No, actually, it's not their only piece of advice. Nor did I say that I think it's okay for macOS to be a completely closed off system.

For the majority of OSX users (you know, the ones that surf the web, check email, and play a few games) it’s ENTIRELY realistic.

 

[Unregistered 4U]

No update for me then, at least for a while. What is going on with Apple’s software quality control?

As has been mentioned, update or not, you’re still vulnerable to this... if you download a malicious application... and, attempt to install it... and, go around GateKeeper... and, then provide your admin credentials. So don’t do all those things and you should be fine.
[doublepost=1506376374][/doublepost]

Do people realize he's the fellow behind BlockBlock and ransomwhere? etc at Objective-See? it's not like he's some random Mac-basher.

This just means, beyond the shadow of a doubt that he is FULLY aware of how serious this is from a security perspective (not very, just don’t download or let anyone trick you into downloading and providing admin access to random applications) and is more than likely intentionally being sensationalist because... I don’t know, maybe his sales had dropped and he needed more people to know his name? So they’d buy his stuff?

I didn’t know his apps before and, because of this behavior, I don’t ever care to use them.

 

[benji888]

...

The day I was unable to use non Mac appStore for personal use on macOS, that would be the last day of using macOS; macOS would render itself utterly useless.

OMG, are you telling me you download apps from outside the App Store every single day, can’t stop until Apple deals with this??

This isn’t about accessing websites, it’s about downloading and installing non Mac App Store apps, the problem comes in when you install an infected app and give it your admin password.

Overreacting people, you are giving way to the FUD.

 

[Unregistered 4U]

The Mac OS was available nearly 30 years before the concept of an "App Store" even existed.

MacOS was available before Xcode and GateKeeper, too Not sure what the point was, unless you thought I was talking about macOS prior to today. Because I didn’t really spell it out when I was writing.

 

[MacsRuleOthersDrool]

You are presuming the bad guys aren't already aware of this issue. It exists in High Sierra, Sierra, and so on... Seems Apple has had years to find it and fix it !

Yes, and the ENTIRE OPEN SOURCE COMMUNITY had YEARS to find/fix the exploit in a nearly ubiquitous SSL/TLS Library that ended up becoming the basis for the HeartBleed Exploit.

http://heartbleed.com/


So, What's your point?

There are many other examples of Open Source Libraries (remember the "many eyes" concept) where serious vulnerabilities have languished for years, even DECADES.

https://www.wired.com/2014/12/most-dangerous-software-bugs-2014/


And I am really not trying to pick on Open Source here. But if the entire PLANET can't find a damned vulnerability in the Unix BASH Shell for TWO DECADES, then I think it is reasonable to assume that Apple could miss a few, too...

The moral of the story is: You find vulnerabilites when you find them. And you only HOPE you find them before the bad guys.

 

[Chloros]

sigh. don't download junk, don't jeopardize your computer. Common sense is the best anti-virus.

lol....you speak as if 90% of the apple user base understands nor care about this. They have real life issues like spilling fraps on their keyboards.

 

[AdonisSMU]

Craig: "suprised! Today we are releasing...ah -beep-...we got hacked!"

Yep! Lol

 

[Amazing Iceman]

I know I've entered my admin password to install software before. Heck, Adobe makes you do it for the flash plugin. I'm sure I've had to dl software outside the app store on many occasions (e.g., printer software, steam, malwarebytes, etc...). Having to do this doesn't make the user an idiot. It simply means not every valid SW provider gets identified.

Just use common sense, make sure you download from the “Real Adobe website”.
Adobe Flash has been discontinued, it’s loaded with vulnerabilities, but some websites still insist in using it.
I don’t think a user is an idiot in this case, just a victim of entities that refuse to move on.

But if you download software from sites with low reputation, you are risking yourself to get hacked, regardless of what O.S. you use.

 

[eric_n_dfw]

The bug has absolutely nothing to due with the fact that the app was unsigned. An app from the App Store or a "trusted" company's web site can do this and, if you read any of the links in my prior post, infiltration of big company's software development systems happens a lot.

The issue is a big hairy deal because it shows the triviality of bypassing the authentication into the keychain.

 

[Amazing Iceman]

No, it's the OS.
There are plenty of legit apps outside Apple's toy store.
No app should ever have access to this data regardless of its origin.

If that’s what you want to believe, then you are on your own.

 

[pat500000]

Yep! Lol

I wonder who does the QA.

 

[Stella]

When did I say that I download apps everyday out side the App Store? I didn’t.

I know full well it’s about non AppStore apps. Websites are irrelevant - why did you even bring that up?

Follow the specific comment thread - instead of commenting on a single post - then you’d understand the context of the comment, which you clearly did not. There is no FUD at all.

OMG, are you telling me you download apps from outside the App Store every single day, can’t stop until Apple deals with this??

This isn’t about accessing websites, it’s about downloading and installing non Mac App Store apps, the problem comes in when you install an infected app and give it your admin password.

Overreacting people, you are giving way to the FUD.

 

[Tech198]

ex-NSA analyst.. keep em commin..

it'll be fixed.

 

[wikiverse]

Would have been great if he contacted Apple before the OS was released. Just looking for attention. Jerk

Why? If Apple has released the software an unsafe OS update, people need to know that they are vulnerable. Why should he go out of his way to protect Apple's reputation when Apple didn't even do it themselves? If Apple were going to take up to 90 days to 'patch' it (as some have suggested), then they still would have been releasing a vulnerable OS to their customers.

People that would actively want to exploit this vulnerability would have figured it out just like this guy did - and kept it to themselves. Effectively all he is doing is warning people like us that Apple isn't infallible, they do release vulnerable software, and we need to be responsible for the safety of our own data instead of pretending that Apple will do that for us.

 

[AdonisSMU]

I wonder if he reported this to Apple and then waiting for the public release before announcing it. Apple likely had the bug report and possibly ignored it or irresponsibly released High Sierra knowing this bug exists.

What is not clear is does this ONLY affect High Sierra, or does it affect earlier versions of macOS, as well?

I've been trusting my info to Keychain for 16 years, so this is a big deal to me.

They’ve already said this affects all versions of OSX. What more do you need?

 

[M.PaulCezanne]

Just use common sense, make sure you download from the “Real Adobe website”.
Adobe Flash has been discontinued, it’s loaded with vulnerabilities, but some websites still insist in using it.
I don’t think a user is an idiot in this case, just a victim of entities that refuse to move on.

But if you download software from sites with low reputation, you are risking yourself to get hacked, regardless of what O.S. you use.

I totally agree, but the idea is that the user can't necessarily prevent being harmed by this vulnerability simply by using good judgment. From the user's perspective, he/she can be reasonably cautious and still be breached. That's obviously an OS issue that needs fixing.

 

[canadianreader]

Apparently the guy did contact Apple before the OS was released
Here from Gizmodo

"Wardle reported the vulnerability to Apple on September 7th and said he expects that Apple will likely ship a patch soon. He said he won’t make his exploit public until it’s patched. He designed it with the assumption that Keychain would be unlocked, since a user’s login password is typically used to unlock the Keychain. However, if a user had set a different password for the Keychain, the attack would not work. Wardle also noted that the vulnerability exists in older versions of macOS as well as High Sierra."


[doublepost=1506382488][/doublepost]

Would have been great if he contacted Apple before the OS was released. Just looking for attention. Jerk

He did contact Apple back in September and alerted them
https://gizmodo.com/high-sierra-reportedly-has-a-password-problem-1818734894

 

[dxmac99]

Keep it going Tim, sooner or later, someone will come to you and say "MAGA" (make apple great again).

 

[iLilana]

they better fix it within the hour

 

[Unregistered 4U]

He designed it with the assumption that Keychain would be unlocked, since a user’s login password is typically used to unlock the Keychain. However, if a user had set a different password for the Keychain, the attack would not work. Wardle also noted that the vulnerability exists in older versions of macOS as well as High Sierra."

When he realized it wouldn’t be fixed before release, he must have been thinking,”I can’t wait until this is released! Think of the publicity I’ll get from EVERYONE writing about this.”

He COULD have resisted the urge and not come off as opportunistic...