- #Mac keychain access vulnerability update#
- #Mac keychain access vulnerability Patch#
- #Mac keychain access vulnerability upgrade#
- #Mac keychain access vulnerability password#
This post originally appeared on Tom's Guide. Even Elon Musk’s Tesla has such a program in place to increase the security of his internet-connected electric cars. Henze thinks this is dumb and unfair - not to mention indicative of Apple’s lack of serious commitment to their computer OS’ security - and therefore has decided not to share the bug procedure, calling others to do the same.Įstablishing security hole bounty programs is a regular practice in the computer industry because it promotes increased security, giving a lot of smart people a reason to invest their time in finding problems. While Apple offers rewards to people who find hacking vulnerabilities in iOS, it doesn’t offer the same program for macOS computers.
#Mac keychain access vulnerability password#
Of course, if youve chosen such a poor password that someone could guess it, you can hardly call that a system vulnerability however, being mac-savvy, the thief opens keychain access and selects my System keychain and unlocks it.
The reason: Henze is protesting Apple’s lack of security bounties for macOS. The attacker would have to guess your login password to get access to that keychain. That opening was closed by Apple, but this one hasn’t yet - and it may not be patched for quite a bit of time. This is the second big breach in macOS Keychain’s security, which already suffered another serious vulnerability back in September 2017.
#Mac keychain access vulnerability update#
There are no news about Apple acknowledging this problem yet, but we have contacted them and we update this article with whatever they say.
#Mac keychain access vulnerability upgrade#
However, some users are unable to upgrade from Sierra to High Sierra until compatible versions of the applications they use are released, eg Adobe Illustrator.Īnd sometimes it appears that seemingly important security patches get thrown into the "too hard" basket – for example, the Broadpwn issue was only addressed in Sierra (and later), but it has been shown to affect Yosemite and El Capitan, and not all Macs running Yosemite can be upgraded to Sierra.Fortunately, the iCloud keychain is not affected.
#Mac keychain access vulnerability Patch#
The company's position - which can only be inferred from what it does and does not release - seems to be that if a newer version of an operating system has the same hardware requirements as its predecessor, it feels no compulsion to offer a patch for the latter. There is no indication from Apple that a fix will be forthcoming for those versions. The update is available via the Mac App Store or from Apple's website.īut according to Wardle, macOS Sierra 10.12 is also vulnerable, and "El Capitan appears vulnerable as well". Non-security changes in the update "Improves installer robustness", "Fixes a cursor graphic bug when using Adobe InDesign", and "Resolves an issue where email messages couldn’t be deleted from Yahoo accounts in Mail". So if you did set a hint, then if anyone has had physical access to your computer after High Sierra was installed it might be wise to investigate changing the disk encryption password. If we're reading that correctly, it means that someone asking for the password hint was actually shown the password instead. This was addressed by clearing hint storage if the hint was the password, and by improving the logic for storing hints." The update also addresses another password-related issue in High Sierra: "If a hint was set in Disk Utility when creating an APFS encrypted volume, the password was stored as the hint. This was addressed by requiring the user password when prompting for keychain access."
The issue is described thus: "A method existed for applications to bypass the keychain access prompt with a synthetic click.
At least it wasn't remotely exploitable, but over the years some Mac users have been taken in by various Trojans, so there was a practical route for exploiting the vulnerability.Īpple released macOS High Sierra 10.13 Supplemental Update overnight to patch the vulnerability, crediting Wardle as the discoverer. Just before High Sierra was released, security researcher Patrick Wardle disclosed the existence of a vulnerability that allowed an application to extract in plaintext form all the passwords stored in a keychain.ĭespite Wardle's detailed private notification, Apple went ahead and released High Sierra with this vulnerability.
0 kommentar(er)
