macOS High Sierra Vulnerability Allegedly Allows Malicious Third-Party Apps to Access Plaintext Keychain Data

[BootsWalking]

MacOS was available before Xcode and GateKeeper, too Not sure what the point was, unless you thought I was talking about macOS prior to today. Because I didn’t really spell it out when I was writing.

The point is the onus is on Apple to keep critical bugs like this out of their OS, which was required of them before they developed the concept of siphoning a percentage of revenue off independent software developers with an app store.

 

[fairuz]

How about all those people on this forum who called me a jerk for refusing to update immediately come read this article? This kind of thing is exactly why I stay a year behind.

Edit: Misread article (or it was updated? IDK). Vulnerability may affect older systems. Instead, I refer you to that WD drive manager bug or something...

 

[UL2RA]

How about all those people on this forum who called me a jerk for refusing to update immediately come read this article?

I've never thought it was a good idea to update immediately until I see what kinds of issues there are ... and there are always issues with major updates. It's not until these things are on millions of devices that Apple can actually spot real bugs affecting many people. And it takes time for fixes to be released.

 

[dogslobber]

Publishing exploits is cyber-terrorism. These people should be jailed.

 

[fairuz]

I've never thought it was a good idea to update immediately until I see what kinds of issues there are ... and there are always issues with major updates. It's not until these things are on millions of devices that Apple can actually spot real bugs affecting many people. And it takes time for fixes to be released.

Yes, and I think Apple does a better job than most. It's just impossible to catch everything that can go wrong. Better for me to be safe and let everyone else test.
[doublepost=1506388798][/doublepost]

Publishing exploits is cyber-terrorism. These people should be jailed.

This would lead to companies not providing bug bounties and letting everyone instead wait for the real bad guys to find the exploits.

 

[dogslobber]

This would lead to companies not providing bug bounties and letting everyone instead wait for the real bad guys to find the exploits.

Maybe if companies found and fixed their own bugs then they wouldn't need to post wanted posters.

 

[UL2RA]

Maybe if companies found and fixed their own bugs then they wouldn't need to post wanted posters.

Millions of people is a much better way to find bugs than a team of engineers. You can have the best team of engineers on earth and they still won't have the ability to find bugs like users can. What's NOT okay is if bugs just go unfixed for months or even years on end.

 

[dogslobber]

Millions of people is a much better way to find bugs than a team of engineers. You can have the best team of engineers on earth and they still won't have the ability to find bugs like users can. What's NOT okay is if bugs just go unfixed for months or even years on end.

Millions of people, indeed! That might be if the open dialog box of Safari didn't work but that's not the same as these deep exploits. And those "engineers" are not real engineers; they're developers. An engineer is legally responsible for the widget they engineer. Are software developers?

 

[jennyp]

How about all those people on this forum who called me a jerk for refusing to update immediately come read this article? This kind of thing is exactly why I stay a year behind.

Your year-old system has exactly the same vulnerability.

 

[fairuz]

Maybe if companies found and fixed their own bugs then they wouldn't need to post wanted posters.

There plenty of cases of someone finding an exploit, contacting the company, and getting no response. At that point, they tend to release it publicly with a note saying "I contacted them 15 days ago, but..." So, what if they were jailed for that? It also seems odd to criminalize publicly spreading information that isn't a secret, just something most haven't discovered.
[doublepost=1506389757][/doublepost]

Your year-old system has exactly the same vulnerability.


View attachment 721151

Dang, thanks for the heads up.

 

[dogslobber]

There plenty of cases of someone finding an exploit, contacting the company, and getting no response. At that point, they tend to release it publicly with a note saying "I contacted them 15 days ago, but..." So, what if they were jailed for that? It also seems odd to criminalize publicly spreading information that isn't a secret, just something most haven't discovered.

That's extortion...which is illegal.

 

[maverick2007]

1. Would have been even greater if Apple had ppl who found these kind of bugs themselves before release.
2. You don't know if he found this yesterday. But sure hate on the guy who might have prevented your bank account password from ending up in the wrong hands. Jerk.

Apple is jerk! IF he would have reported this issue they would tell him this issue will occur to 1 to Million or none. Apple has lost its mind in catching up other companies.

 

[fairuz]

That's extortion...which is illegal.

It's only extortion if you demand money or something else.

 

[dogslobber]

It's only extortion if you demand money or something else.

Your comment was that they contact the software house and got no response so published the response. I class that as trying to extort something. That includes a formal response.

 

[fairuz]

Your comment was that they contact the software house and got no response so published the response. I class that as trying to extort something. That includes a formal response.

Apparently, the legal experts don't, because people do this publicly all the time.

 

[DevNull0]

No reason to use anything outside the App Store or not from a trusted vendor unless it's something I've written myself.

That is such a sad outlook. At least you can be happy with an iPad/iPhone as your only computing device.

Just the most basic things I do...the app store doesn't have the Arduino IDE, the driver for the CH340 USB serial chips I use, or a whole bunch of engineering tools. They've got fusion 360, but none of the slicers I use, no 3d printer drivers.

I have more than 50 apps on my MBP that I can't get from Apple. I'm glad Apple doesn't agree with you that theres no reason to do any of those things. Because a computing device that dan't do those things is completely useless to me.

 

[powerslave65]

WS will do anything to get AAPL for a bargain...
time to buy more. $$$

 

[DevNull0]

And it’s not like what Apple asks from Developers is onerous, it’s that what the developers have decided to do as a business model is do something that generally shouldn’t be done.

I see...so a company that designs and manufactures USB IC chips and then offers drivers so you can actually use those chips with a mac is doing something that generally shouldn't be done.

There will always be edge cases that means pro users will want to do things that make their systems less secure, BUT we as pro users already hold ourselves responsible for what happens when we make our systems less secure, right?

How does that make the system less secure? There are many such examples I use personally and thousands more I don't but others do.

 

[AdonisSMU]

When he realized it wouldn’t be fixed before release, he must have been thinking,”I can’t wait until this is released! Think of the publicity I’ll get from EVERYONE writing about this.”

He COULD have resisted the urge and not come off as opportunistic...

I wouldn’t. I’m glad he didn’t either. He forced Apple to make a fix a priority.

Even me myself won’t necessarily fix every known bug until there is pressure to do so.

 

[fairuz]

No reason to use anything outside the App Store or not from a trusted vendor unless it's something I've written myself.

I can't remember which, but I've run into dev software from big companies like Google that wasn't signed. And I've had no choice but to use it for whatever task it was. But it's pretty fair to prevent the average user from doing that by default and let us override.

 

[brothercheng]

This is actually a serious bug. For those of you saying it requires convoluted steps in order to exploit (disabling Gatekeeper), it doesn't. The malware developer could simply sign their apps with an Apple developer ID and Gatekeeper won't complain. The malware developer also wouldn't even need to make their own apps. Instead they could embed the malicious code in known popular apps. This is not theoretical. Just see the recent CCleaner news and how big of a cluster**** it is right now, in that a legit app has been compromised to include malicious code.

Sure, a sandboxed app sold on the app store would be safer, but a lot of popular Mac apps are not sandboxed or delivered through app store, due to the limitations of the sandbox in macOS, especially professional and development tool.

The exploit also doesn't need admin privilege, so it's really not that hard to execute.

The bottom line is, an app that you install without admin privilege just shouldn't be able to read your KeyChain data. Sure, running untrusted app is always a security risk, but there should be limits to how much damage they can do.

Edit: Also, I wonder if the author gave advance notice to Apple? This seems like it's a 0-day which would imply he didn't... Unless Apple really screwed up in patching this.

 

[germinator]

Publishing exploits is cyber-terrorism. These people should be jailed.

Publishing defective system software is cyberterrorism.

Clueless commenters should be jailed.

 

[NovemberWhiskey]

So I am taking it that Better Touch Tool is not safe to use with High Sierra yet (and possibly on previous OS's?)

What about Google Chrome?

 

[coolfactor]

The point is the onus is on Apple to keep critical bugs like this out of their OS, which was required of them before they developed the concept of siphoning a percentage of revenue off independent software developers with an app store.

"Malicious third-party apps".

Those rarely, if ever, make it through the App Store review process. So this has nothing to do with the App Store-distributed apps.
[doublepost=1506398694][/doublepost]

I've never thought it was a good idea to update immediately until I see what kinds of issues there are ... and there are always issues with major updates. It's not until these things are on millions of devices that Apple can actually spot real bugs affecting many people. And it takes time for fixes to be released.

From what I've read, this is not limited to High Sierra. I was thinking the same thing — wait for the x.1 update — but now that I know this affects my current 10.12.6 system, and I've trusted Keychain to my passwords for 16 years, there really is no reason _not_ to update. Updating does not introduce this vulnerability. It was just reported that way, sadly.

 

[Black Magic]

How about all those people on this forum who called me a jerk for refusing to update immediately come read this article? This kind of thing is exactly why I stay a year behind.

It impacts older OSes too, so you are still exposed. Only difference is you have convinced yourself to use dated technology and features. Update day 1 and enjoy! Forget all the foolishness and live life!