Security Market Segment LS
Friday, 06 October 2017 10:06

Apple fixes Keychain vulnerability, but only in macOS High Sierra

By

The zero-day vulnerability in macOS's Keychain has been addressed by Apple, along with some other issues in High Sierra. But other recent versions of the operating system are still vulnerable.

Keychain is a convenient feature of macOS that provides encrypted storage for passwords, cryptographic keys, certificates and other sensitive information.

The Keychain feature makes provision for multiple keychains (sets of passwords, etc), but in practice most users store their data in the login keychain, which by default has the same password as that used to log into the system.

Normally, when applications add passwords to a keychain, they limit access to themselves and related software. For example, the password used by Safari to decrypt autofill data is only accessible by Safari, while a password used to connect to a SMB server is available to NetAuth, NetAuthAgent and NetAuthSysAgent.

Just before High Sierra was released, security researcher Patrick Wardle disclosed the existence of a vulnerability that allowed an application to extract in plaintext form all the passwords stored in a keychain.

Despite Wardle's detailed private notification, Apple went ahead and released High Sierra with this vulnerability. At least it wasn't remotely exploitable, but over the years some Mac users have been taken in by various Trojans, so there was a practical route for exploiting the vulnerability.

Apple released macOS High Sierra 10.13 Supplemental Update overnight to patch the vulnerability, crediting Wardle as the discoverer.

The issue is described thus: "A method existed for applications to bypass the keychain access prompt with a synthetic click. This was addressed by requiring the user password when prompting for keychain access."

The update also addresses another password-related issue in High Sierra: "If a hint was set in Disk Utility when creating an APFS encrypted volume, the password was stored as the hint. This was addressed by clearing hint storage if the hint was the password, and by improving the logic for storing hints."

If we're reading that correctly, it means that someone asking for the password hint was actually shown the password instead. So if you did set a hint, then if anyone has had physical access to your computer after High Sierra was installed it might be wise to investigate changing the disk encryption password.

Non-security changes in the update "Improves installer robustness", "Fixes a cursor graphic bug when using Adobe InDesign", and "Resolves an issue where email messages couldn’t be deleted from Yahoo accounts in Mail".

The update is available via the Mac App Store or from Apple's website.

But according to Wardle, macOS Sierra 10.12 is also vulnerable, and "El Capitan appears vulnerable as well".

There is no indication from Apple that a fix will be forthcoming for those versions. The company's position — which can only be inferred from what it does and does not release — seems to be that if a newer version of an operating system has the same hardware requirements as its predecessor, it feels no compulsion to offer a patch for the latter.

However, some users are unable to upgrade from Sierra to High Sierra until compatible versions of the applications they use are released, eg Adobe Illustrator.

And sometimes it appears that seemingly important security patches get thrown into the "too hard" basket – for example, the Broadpwn issue was only addressed in Sierra (and later), but it has been shown to affect Yosemite and El Capitan, and not all Macs running Yosemite can be upgraded to Sierra.


Subscribe to ITWIRE UPDATE Newsletter here

GRAND OPENING OF THE ITWIRE SHOP

The much awaited iTWire Shop is now open to our readers.

Visit the iTWire Shop, a leading destination for stylish accessories, gear & gadgets, lifestyle products and everyday portable office essentials, drones, zoom lenses for smartphones, software and online training.

PLUS Big Brands include: Apple, Lenovo, LG, Samsung, Sennheiser and many more.

Products available for any country.

We hope you enjoy and find value in the much anticipated iTWire Shop.

ENTER THE SHOP NOW!

INTRODUCING ITWIRE TV

iTWire TV offers a unique value to the Tech Sector by providing a range of video interviews, news, views and reviews, and also provides the opportunity for vendors to promote your company and your marketing messages.

We work with you to develop the message and conduct the interview or product review in a safe and collaborative way. Unlike other Tech YouTube channels, we create a story around your message and post that on the homepage of ITWire, linking to your message.

In addition, your interview post message can be displayed in up to 7 different post displays on our the iTWire.com site to drive traffic and readers to your video content and downloads. This can be a significant Lead Generation opportunity for your business.

We also provide 3 videos in one recording/sitting if you require so that you have a series of videos to promote to your customers. Your sales team can add your emails to sales collateral and to the footer of their sales and marketing emails.

See the latest in Tech News, Views, Interviews, Reviews, Product Promos and Events. Plus funny videos from our readers and customers.

SEE WHAT'S ON ITWIRE TV NOW!

BACK TO HOME PAGE
Stephen Withers

Stephen Withers is one of Australia¹s most experienced IT journalists, having begun his career in the days of 8-bit 'microcomputers'. He covers the gamut from gadgets to enterprise systems. In previous lives he has been an academic, a systems programmer, an IT support manager, and an online services manager. Stephen holds an honours degree in Management Sciences and a PhD in Industrial and Business Studies.

Share News tips for the iTWire Journalists? Your tip will be anonymous

WEBINARS ONLINE & ON-DEMAND

GUEST ARTICLES

VENDOR NEWS

Guest Opinion

Guest Interviews

Guest Reviews

Guest Research

Guest Research & Case Studies

Channel News

Comments