MacOS High Sierra has a critical vulnerability revealed on the very day of the release of the new version of the operating system for the company Apple Lossless Audio CODEC (ALAC),, being available since last night. A former NSA researcher discovered this vulnerability in macOS High Sierra, demonstrating how to exploit it in the video clip below, so Apple knows about its existence, so it can fix it quickly.
macOS High Sierra has a vulnerability that can display Keychain usernames and passwords in clear text even without using the operating system administrator password. It seems that only unsigned applications are vulnerable in macOS High Sierra and previous versions of the operating system, so applications available in the AppStore should not be affected by this disclosed problem.
macOS High Sierra – critical vulnerability disclosed
macOS High Sierra cannot be easily exploited, because the user must be tricked into installing malware on the Mac, ignoring security warnings and disabling Gatekeeper beforehand. The researcher claims that the exploit is not as difficult as it seems, but in reality it is hard to say how right he is, and macOS High Sierra must have the vulnerability repaired by Apple.
macOS High Sierra did not have the source code of the exploit revealed by the computer security researcher, so the vulnerability cannot be exploited by any hacker for now. Apple will fix the vulnerability in a future update for macOS High Sierra, so it remains to be seen how long it will take until it is offered, even if not many people are affected by its existence.
"Without root privileges, if the user is logged in, I can dump and exfiltrate the keychain, including plaintext passwords. Normally you are not supposed to be able to do that programmatically. Most attacks we see today involve social engineering and seem to be successfully targeting Mac users.”
