Here’s Why You Should NOT Upgrade to macOS High Sierra Today – Critical, Password-Stealing Security Bug Discovered
Correction: The exploit affects other macOS versions too, including the latest High Sierra, but is not specific to the latter only. Apple has actually fixed a number of critical security flaws with macOS 10.13 making it an important update.
Apple has today released a new macOS version, dubbed as macOS High Sierra. While you might be getting excited to upgrade your Macs right away, a security researcher has already dropped a zero day vulnerability.
NSA hacker drops macOS High Sierra zero-day
Apple's new version of its desktop and notebook operating system, macOS High Sierra, is now available to the public. Just before the release, Patrick Wardle, a former NSA hacker who is currently a chief security researcher at Synack and makes a regular appearance in security-related news, posted a video (shared at the end of this post) of a password exfiltration exploit that affects the latest macOS High Sierra.
Using this security vulnerability lurking in the new operating system, a hacker can steal passwords from Macs that are running the new operating system. Thanks to this macOS High Sierra vulnerability, passwords stored in the Apple Keychain, which should require a master login password typically, will now to be open to hackers and that too in plain-text!
"Without root privileges, if the user is logged in, I can dump and exfiltrate the keychain, including plaintext passwords," Wardle said. "Normally you are not supposed to be able do that programmatically."
The exploit appears to be a second-stage payload, as it would require an initial hack that would run malicious code on an macOS High Sierra device. Wardle added that it is no longer difficult to get the rogue code running on a Mac.
"Most attacks we see today involve social engineering and seem to be successful targeting Mac users," he said. "I'm not going to say the [new] exploit is elegant - but it does the job, doesn't require root and is 100% successful."
Wardle managed to force Keychain to give up passwords of Facebook, Twitter and Bank of America using his "keychainStealer" app.
Apple doesn't run a bug bounty program for its desktop operating system, only offering rewards of up to $200,000 for high-end secure boot firmware exploits found in iPhone and iPad. Wardle suggested that Apple needs to launch a macOS bug bounty program, as well.
Due to obvious security concerns, Wardle hasn't released the exploit code but has shown it working in a video. Apple will eventually patch the security issue, but until that happens it would be wise not to upgrade to the latest macOS High Sierra right away.