Brand New MacOS ‘High Sierra’ Update Has Zero Day Vulnerability
Apple today launched the newest version of its MacOS operating system following months of anticipation, just as a cyber security researcher announced he had discovered a sinister zero-day bug that allows a hacker to steal passwords stored in Mac keychains.
The MacOS High Sierra update had been in beta since June and includes improvements to the file system, photo editing, Siri, graphics processing and virtual reality capability.
But hours before its release this morning, Patrick Wardle, an ex-NSA analyst who now works as head of research at security firm Synack, tweeted out a video he made of a new exploit that can be used to obtain access to the keychain, without a master password for the operating system.
“(On) High Sierra (unsigned) apps can programmatically dump (and) exfil keychain (with your plaintext passwords),” Wardle’s tweet said.
One tweeter asked Wardle whether the vulnerability is only present in the newly released High Sierra, or whether it extends to the previous OS, Sierra, and older versions.
“Other versions of MacOS are vulnerable too,” Wardle replied. “Not sure what (Apple) is thinking.”
The password exfiltration exploit begins by introducing malicious code into the desktop or laptop through an unsigned app or via email.
In the video, Wardle demonstrates a local exploit using an app he built dubbed “keychainStealer.”
In the real world, introduction of the malware can be accomplished through traditional phishing and social engineering techniques.
Wardle designed an app he dubbed “keychainStealer,” which when clicked on, allows access to and exfiltration of the contents of the Apple keychain.
The keychain allows users to store passwords for websites and applications – including social media, banking and other sensitive portals – and often contains every password accessed via that operating system.
Typically, a master password is used to access the keychain, but Wardle’s exploit enablies the exfiltration without that master password.
Wardle told ZDNet that he informed Apple of the vulnerability earlier this month but that the patch was not made available in time for today’s release.
“I felt that users should be aware of the risks that are out there,” he’s quoted as saying. “I’m sure sophisticated attackers have similar capabilities.”
Apple issued a statement to ZDNet’s sister publication, CNET, warning MacOS users against installing unsigned apps, but offering no timetable for when a patch would be available.
“(Anti-malware feature) Gatekeeper warns users against installing unsigned apps, like the one shown in this proof of concept, and prevents them from launching the app without explicit approval,” Apple’s statement said, according to the report. “We encourage users to download software only from trusted sources like the Mac App Store, and to pay careful attention to security dialogs that macOS presents.”
Send tips and news to MSPmentorNews@Penton.com.