Slashdot Mirror

← Back to Stories (view on slashdot.org)

Apple Releases macOS High Sierra; Ex-NSA Hacker Publishes Zero-Day

Posted by msmash on from the here-we-are dept.

Apple today released the newest version of its operating system for Macs, macOS High Sierra, to the public. macOS High Sierra is a free download, and offers a range of new features and improvements including the new Apple File System, and support for High Efficiency Video Encoding (HEVC) for better compression without loss of quality, and HEIF for smaller photo sizes. Zack Whittaker, reporting for ZDNet: Patrick Wardle, a former NSA hacker who now serves as chief security researcher at -- Synack, posted a video of the hack -- a password exfiltration exploit -- in action. Passwords are stored in the Mac's Keychain, which typically requires a master login password to access the vault. But Wardle has shown that the vulnerability allows an attacker to grab and steal every password in plain-text using an unsigned app downloaded from the internet, without needing that password.

4 of 53 comments (clear)

  1. Let's retire 'drop' by RightwingNutjob · · Score: 4, Insightful

    It's ambiguous and sometimes can mean the exact opposite of the intended message, especially when used in short click-baity headlines. How about 'publishes,' 'releases,' or 'exposes' here?

    1. Re:Let's retire 'drop' by Geoffrey.landis · · Score: 5, Informative

      Seems odd that two only slightly related news stories are concatenated into a single /. post.
      The keychain hack seems to be working on any Mac OS, not just High Sierra.

      --
      http://www.geoffreylandis.com
  2. Lets be clear this affects older OS X as well by Anonymous Coward · · Score: 5, Informative

    This hack affects High Sierra as well as older versions according to the article. The title of this implies that this is specifically something related only to the new OS.

  3. Big security flaw that needs to be fixed by 93+Escort+Wagon · · Score: 4, Informative

    However the user does need to download and run the app - so the current iteration isn't problematic (nor is it intended to be). And, since it's unsigned, I'm assuming it won't work for most users by default - unless, like me, you change that setting.

    I'm certain we'll see this weapon used soon enough, though... and we regularly do see users get manipulated into running things they shouldn't, even when lots of warning boxes pop up along the way. Plus it's always possible there's another way to exploit the flaw which doesn't have to run under the specific user's account.

    --
    #DeleteChrome