ZDNet: Ex-NSA hacker drops macOS High Sierra zero-day hours before launch

Discussion in 'macOS High Sierra (10.13)' started by eric_n_dfw, Sep 25, 2017.

Thread Status:
Not open for further replies.
  1. eric_n_dfw macrumors 68000

    eric_n_dfw

    Joined:
    Jan 2, 2002
    Location:
    DFW, TX, USA
    #1
  2. sequential macrumors member

    Joined:
    Jul 12, 2015
    #2
    this is serious enough so it should be on front page on macrumors already.
     
  3. m4v3r1ck macrumors 68020

    m4v3r1ck

    Joined:
    Nov 2, 2011
    Location:
    The Netherlands
    #3
  4. UL2RA Suspended

    Joined:
    May 7, 2017
    #4
    Don't install any unsigned apps until the bug is fixed.
     
  5. eric_n_dfw thread starter macrumors 68000

    eric_n_dfw

    Joined:
    Jan 2, 2002
    Location:
    DFW, TX, USA
    #5
    I tend to agree. Emailed tips@macrumors.com about an hour ago with the Twitter post (before I knew about this ZD article) but haven't heard back. I assume they are researching/validating.
     
  6. UL2RA Suspended

    Joined:
    May 7, 2017
    #6
    From the article it just sounds like if you install an unsigned app you run the risk of this happening. But then again, there's always a risk of installing unsigned apps. This is still a serious security issue, though, obviously.
     
  7. Alrescha macrumors 68020

    Joined:
    Jan 1, 2008
    #7
    Is it just me, or what kind of jerk drops a 0-day on release day without notifying the vendor?

    A.
     
  8. UL2RA Suspended

    Joined:
    May 7, 2017
    #8
    The kind of person that wants publicity for their 0-day and to cause a bigger scare than is necessary.
     
  9. killawat macrumors 65816

    Joined:
    Sep 11, 2014
    #9
    Yeah if he was able to dump the keychain without auth....

    Ignore the fact that one has to sidestep gatekeeper.

    Using a signed version of the app won't really make a difference if the OS is allowing this.

    He probably did a variation of this that someone else posted:

    "security dump-keychain -d login.keychain > keychain.txt" (to dump all your keychain objects).

    Do this in terminal and you are prompted for each and every item in your keychain, unless you allow all initially.
     
  10. Alrescha macrumors 68020

    Joined:
    Jan 1, 2008
    #10
    Seems like we are all on the same page then.

    A.
     
  11. eric_n_dfw thread starter macrumors 68000

    eric_n_dfw

    Joined:
    Jan 2, 2002
    Location:
    DFW, TX, USA
    #11
    1. Who is to say he didn't notify them earlier and it was ignored?
    2. His demo video doesn't show how he did it, so posting is not providing the exploit to the masses
    3. If it's real, then it does deserve to be known.
    4. I don't know that the app signature is something to dwell on here - if a publisher were to get hacked and this code injected into their app, the OS API should be protecting from access to this data and it's apparently not
    --- Post Merged, Sep 25, 2017 ---
    It's on front page now, move discussion over there: https://www.macrumors.com/2017/09/25/macos-high-sierra-security-vulnerability/
     
  12. Alrescha macrumors 68020

    Joined:
    Jan 1, 2008
    #12
    Um, it is an unreleased OS - how much earlier could it be? Try as you might, the reporter is not looking too honorable at the moment.

    A.
     
  13. eric_n_dfw thread starter macrumors 68000

    eric_n_dfw

    Joined:
    Jan 2, 2002
    Location:
    DFW, TX, USA
    #13
    Very likely he's been on the beta, also possible he notified them days/weeks prior and since they didn't fix it he wanted to warn people before they upgraded.

    Also, according to his twitter feed, it looks like the also impacts other versions so this may be not be a High Sierra only issue. :(
     
  14. 0007776 Suspended

    0007776

    Joined:
    Jul 11, 2006
    Location:
    Somewhere
    #14
    I would hope he noticed it in the beta, and told them it would be released on Alain he day if they didn't fix it. Sometimes it takes a public release of an issue to press big companies into fixing bugs.
     
  15. Alrescha macrumors 68020

    Joined:
    Jan 1, 2008
    #15
    I think it has been established that at least 90 days is the minimum reasonable time between notification and fix. It seems impossible that this time period has been respected. To be sure, I do not know one way or another, but given the information available the reported seems to not be honorable.

    A.
     
  16. 0007776 Suspended

    0007776

    Joined:
    Jul 11, 2006
    Location:
    Somewhere
    #16
    Something this big means the OS probably shouldn't have been released without a fix, so I would think a deadline of release day would be reasonable no matter what time that is.
     
  17. Weaselboy Moderator

    Weaselboy

    Staff Member

    Joined:
    Jan 23, 2005
    Location:
    California
Thread Status:
Not open for further replies.

Share This Page

16 September 25, 2017