Sidebar Sidebar
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

ZDNet: Ex-NSA hacker drops macOS High Sierra zero-day hours before launch

Status
Not open for further replies.
m4v3r1ck said:
This looks very serious indeed! Thanks for the heads up!!!

Can some of the MacRumors superusers provide us less tech savvy users some fact-checking please?

Cheers
Click to expand...
From the article it just sounds like if you install an unsigned app you run the risk of this happening. But then again, there's always a risk of installing unsigned apps. This is still a serious security issue, though, obviously.
 
  • Like
Reactions: m4v3r1ck
Yeah if he was able to dump the keychain without auth....

Ignore the fact that one has to sidestep gatekeeper.

Using a signed version of the app won't really make a difference if the OS is allowing this.

He probably did a variation of this that someone else posted:

"security dump-keychain -d login.keychain > keychain.txt" (to dump all your keychain objects).

Do this in terminal and you are prompted for each and every item in your keychain, unless you allow all initially.
 
  • Like
Reactions: eric_n_dfw
1. Who is to say he didn't notify them earlier and it was ignored?
2. His demo video doesn't show how he did it, so posting is not providing the exploit to the masses
3. If it's real, then it does deserve to be known.
4. I don't know that the app signature is something to dwell on here - if a publisher were to get hacked and this code injected into their app, the OS API should be protecting from access to this data and it's apparently not
[doublepost=1506365810][/doublepost]It's on front page now, move discussion over there: https://www.macrumors.com/2017/09/25/macos-high-sierra-security-vulnerability/
 
Very likely he's been on the beta, also possible he notified them days/weeks prior and since they didn't fix it he wanted to warn people before they upgraded.

Also, according to his twitter feed, it looks like the also impacts other versions so this may be not be a High Sierra only issue. :(
 
Alrescha said:
Is it just me, or what kind of jerk drops a 0-day on release day without notifying the vendor?

A.
Click to expand...
I would hope he noticed it in the beta, and told them it would be released on Alain he day if they didn't fix it. Sometimes it takes a public release of an issue to press big companies into fixing bugs.
 
mrkramer said:
I would hope he noticed it in the beta, and told them it would be released on Alain he day if they didn't fix it. Sometimes it takes a public release of an issue to press big companies into fixing bugs.
Click to expand...

I think it has been established that at least 90 days is the minimum reasonable time between notification and fix. It seems impossible that this time period has been respected. To be sure, I do not know one way or another, but given the information available the reported seems to not be honorable.

A.
 
Alrescha said:
I think it has been established that at least 90 days is the minimum reasonable time between notification and fix. It seems impossible that this time period has been respected. To be sure, I do not know one way or another, but given the information available the reported seems to not be honorable.

A.
Click to expand...
Something this big means the OS probably shouldn't have been released without a fix, so I would think a deadline of release day would be reasonable no matter what time that is.
 
Status
Not open for further replies.
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.
Top Bottom
Back