Mariano’s bug was one of two vulnerabilities addressed in the out-of-band fix. The other was a vulnerability disclosed shortly before the release of High Sierra last week that allowed attackers to dump plaintext passwords from the macOS keychain.
Researcher Patrick Wardle, chief security researcher at Synack, privately disclosed to Apple in early September and said the bug is also present in Sierra and likely also in El Capitan.
Wardle cautioned last week that there was a low barrier to entry for attackers to exploit this issue once they already had a foothold on a machine.
The macOS Keychain is a critical security component for authentication. It’s an encrypted container that stores system usernames and passwords as well as credentials for applications and web-based services. It can also store payment card data, banking PINs and other credentials. Accompanying Keychain is Keychain Access, a password management application that stores credentials in the keychain, saving the user from having to enter them over and over on the web.
Wardle and other researchers were critical of Apple’s response to the initial disclosure, which recommended to users that Gatekeeper would be an adequate mitigation against the Keychain attack. While this might be true against unsigned malware—Gatekeeper denies unsigned code from executing on macOS—it ignores the multitude of attacks carried out using legitimate Apple developer certs to sign malware.
“That prerequisite of getting initially infected is a high prerequisite,” Wardle said. “That’s the area of focus and probably why Apple responded with Gatekeeper. That wouldn’t have been my response. But I like where they’re going in terms of being careful where you’re downloading apps from and following good security practices. Unfortunately we are seeing things like legitimate applications and websites getting hacked (Handbrake, Transmission). And in those scenarios, those are signed apps being hosted on legitimate websites and the user is pretty much done.
“I think it’s important for Apple to build in these secondary lines of defenses where even if that happens when something tries to hijack the keychain, it’s pretty much blocked.”