Apple issues statement on serious Keychain zero day bug
By: Tom Manning - September 26, 2017

A very serious security bug was discovered in the Apple MacOS Keychain. It makes it possible for an attacker to get every password in the Keychain without requiring your password. Patrick Wardle, Synack’s head of research, was able to write some code that extracts passwords from the Keychain. He posted a video of it on Vimeo.

The security issue is very serious, yet Apple's statement seems inadequate.

Apple's statement reads:

“macOS is designed to be secure by default, and Gatekeeper warns users against installing unsigned apps, like the one shown in this proof of concept, and prevents them from launching the app without explicit approval. We encourage users to download software only from trusted sources like the Mac App Store, and to pay careful attention to security dialogs that macOS presents.”

Apple is correct that it is best to use Gatekeeper, but something as serious as Keychain should be able to withstand attack. I'm sure Apple will indeed patch this hole, but they should have admitted the seriousness of it, and indicated a timeframe for a patch. instead, the statement seems to insinuate that anyone not running Gatekeeper is at fault. Not cool, Apple!

Just fix it please.

Share This:

blog comments powered by Disqus

Mobile Home | Desktop View | Forums | Store
Android | BlackBerry | iPhone
Palm | Windows | All

Copyright © 2002-2015 - Small Computing Group, LLC