Apple has launched the latest version of macOS, High Sierra, with an unpatched zero-day vulnerability in place, a worrying state of affairs even though the flaw is one which theoretically won’t affect the majority of users (at least those who take heed of Gatekeeper’s warnings).
The exploit was discovered by Patrick Wardle, chief security researcher at Synack, and also affects earlier versions of macOS (and OS X for that matter).
It can be delivered by an unsigned app, and is capable of hoovering up all the passwords stored in the macOS keychain (in plain-text, so fully readable), without needing the master password normally required to access the keychain. The user won’t realize anything bad has happened.
Of course, if you try to install an unsigned app under macOS, the operating system will warn you against proceeding. And that’s exactly what Apple pointed out in its defense.
As at ZDNet reports, the company stated: “MacOS is designed to be secure by default, and Gatekeeper warns users against installing unsigned apps, like the one shown in this proof of concept, and prevents them from launching the app without explicit approval.
“We encourage users to download software only from trusted sources like the Mac App Store, and to pay careful attention to security dialogs that macOS presents.”
However, Wardle reported the exploit earlier this month, and is disappointed that Apple hasn’t managed to fix the problem for the launch of High Sierra, given that this is a nasty bug that can whip away all your passwords.
And there’s always the prospect of some nefarious type managing to get the exploit into a digitally-signed app, which has happened in the past (using a falsified registration for Apple’s developer program, or indeed simply stolen developer credentials). That would make this threat far more dangerous, of course.
On the subject of revealing the vulnerability before it has been patched, Wardle told ZDNet: “As a passionate Mac user, I'm continually disappointed in the security of macOS … every time I look at macOS the wrong way something falls over. I felt that users should be aware of the risks that are out there – I'm sure sophisticated attackers have similar capabilities.”
Hopefully, now the malware cat is out of the bag in this case, Apple will move swiftly to issue a patch. In the meantime, be careful what you’re installing on your Mac (although that should be your default perspective on software downloads anyway).