Security concerns with macOS High Sierra
Apple patches vulnerabilities in keychain and encrypted APFS volumes
Update your Mac now!
Two surprising security lapses have emerged in macOS High Sierra, with one potentially affecting older versions of macOS and OS X as well.
The first vulnerability, affecting the keychain, was discovered by Patrick Wardle, formerly of the NSA and now director of research at Synack, while trying out a beta build of macOS High Sierra. Using a proof-of-concept program he developed, called keychainStealer, Wardle was able to display plain text passwords stored in keychain for Bank of America, Facebook, and Twitter. Wardle posted a video of the flaw on Vimeo ( bit.ly/
macoskeystealer) and notified Apple about the concern.
Worryingly, Wardle said it would be relatively easy to install a program like keychainStealer. “Most attacks we see today involve social engineering and seem to be successful targeting Mac users,” Wardle told Forbes. “I’m not going to say the [keychain] exploit is elegant – but it does the job, doesn’t require root [access] and is 100 percent successful.”
Wardle said the exploit would work on any Mac where someone was already logged in, and that older versions of the system may also be affected.
Wardle published his findings on September 25, the same day macOS High Sierra was made available on the Mac App Store. Apple issued a patch for the vulnerability 10 days later, on October 5. It also patched another surprising error that affected encrypted Apple File System (APFS) volumes.
Discovered by developer Matheus Mariano, the APFS bug displays in plain text the password you’ve used to encrypt a drive, showing it in the password hint box right below the place where you’re meant to enter it – an incredible oversight by Apple’s engineers.
Using macOS’s Disk Utility, Mariano created an encrypted APFS volume, set a password and a hint for it, then unmounted the volume before remounting it again. When he clicked the “Show Hint” button, the password he had set appeared in plain text, rather than the hint he expected. Because the startup disk in Macs that have an internal SSD is automatically converted to APFS, this affects many modern MacBooks.
You can make sure you’re protected from both of these vulnerabilities by updating macOS High Sierra to the latest version via the Mac App Store. To find out more about the security content of Apple’s macOS High Sierra 10.13 Supplemental Update, point your browser at bit.ly/mlmhsupd.