Monday September 25, 2017

Apple Releases macOS High Sierra; Ex-NSA Hacker Publishes Zero-Day

Patrick Wardle a former NSA hacker showed off a zero-day exploit in macOS High Sierra that allows an attacker to steal every password stored in the Keychain without needing a master login password. He reported the bug to Apple earlier this month, but the patch did not make it into the release of High Sierra today.

News Image

Kinda crazy that Apple would let an exploit like this walk out the door. Even more crazy is Wardle found another zero-day exploit in High Sierra earlier this month, that one showing that the secure kernel extension loading feature is vulnerable to bypass. He also has released a video of the keychain hack, which can be found here

"As a passionate Mac user, I'm continually disappointed in the security of macOS," he said. "I don't mean that to be taken personally by anybody at Apple -- but every time I look at macOS the wrong way something falls over. I felt that users should be aware of the risks that are out there I'm sure sophisticated attackers have similar capabilities. Apple marketing has done a great job convincing people that macOS is secure, and I think that this is rather irresponsible and leads to issues where Mac users are overconfident and thus more vulnerable."