Please visit the new Mac-Forums Facebook page:
https://www.facebook.com/macforums1




Page 1 of 2 12 LastLast
Results 1 to 15 of 17
  1. #1
    Keychain exploit in the wild?
    Cr00zng's Avatar
    Member Since
    Jan 01, 2014
    Posts
    338
    Your Mac's Specs
    MacBookPro 13 v11.1, i5 2.4 GHz, 256 GBs SSD, 8 GBs DDRs
    Rep Power
    6
    Keychain exploit in the wild?
    If a video of keychain exploit available on Youtube, it's pretty safe to say that it is in the wild already...



    Is there a timeframe for Apple to patch this vulnerability?

  2. #2
    Keychain exploit in the wild?
    chscag's Avatar
    Member Since
    Jan 23, 2008
    Location
    Keller, Texas
    Posts
    58,854
    Your Mac's Specs
    2017 27" iMac, 10.5" iPad Pro, iPhone 7+, iPhone 8, Numerous iPods, Mojave
    Rep Power
    53
    I believe Apple is already aware of the vulnerability but have not heard of any forthcoming patches or fixes. We will add on to this thread if we hear anything.

    Apparently, the individual who discovered this exploit or vulnerability is refusing to disclose it to Apple because he's unhappy with Apple's policy of rewarding bug exploit finders who discover the nasties only in iOS and not macOS.

    The whole saga of this sounds childish and silly. You can read more on this by doing a google search for "keychain exploit".
    Last edited by chscag; 02-08-2019 at 10:10 PM. Reason: More info added.

  3. #3
    Keychain exploit in the wild?
    Cr00zng's Avatar
    Member Since
    Jan 01, 2014
    Posts
    338
    Your Mac's Specs
    MacBookPro 13 v11.1, i5 2.4 GHz, 256 GBs SSD, 8 GBs DDRs
    Rep Power
    6
    Well, the 10.14.4 version released on February 7th has addressed Face Time, CVE-2019-7286 and CVE-2019-7287 vulnerabilities, privilege escalation and arbitrary code execution respectively. Maybe it had been addressed already...

    The fact that Apple specifies Face Time, but not keychain in their HT209520 makes me doubt that this vulnerability had been addressed in 10.14.4.

    As for childish...

    The "kid" has a point, even if I don't agree with the way he expresses it. He could also sell this exploit to number of exploit broker, like Zerodium, for substantially more than whatever the Apple reward might be for macOS exploit. To my knowledge, he did not as of yet at least. There's that...

  4. #4
    Keychain exploit in the wild?
    chscag's Avatar
    Member Since
    Jan 23, 2008
    Location
    Keller, Texas
    Posts
    58,854
    Your Mac's Specs
    2017 27" iMac, 10.5" iPad Pro, iPhone 7+, iPhone 8, Numerous iPods, Mojave
    Rep Power
    53
    The update to macOS that was released on Feb 7 was 10.14.3. Anything else is still in beta and undergoing testing. But I agree, sometimes Apple can be difficult to deal with.

  5. #5
    Keychain exploit in the wild?
    ferrarr's Avatar
    Member Since
    May 21, 2012
    Location
    Pawtucket, RI, US
    Posts
    6,816
    Your Mac's Specs
    L2014 Mac mini macOS 15, iPhone 8+ iOS 13, 12.9" iPad Pro 1 iPadOS 13,  Pencil 1
    Rep Power
    13
    Quote Originally Posted by chscag View Post
    The update to macOS that was released on Feb 7 was 10.14.3. Anything else is still in beta and undergoing testing. But I agree, sometimes Apple can be difficult to deal with.
    Only Apple?

    Some people prefer to complain a lot louder about Apple, because of their success, and the way they prefer to keep their environment secured.
    -- Bob --
    Please backup. Everything has a life cycle, unexpected and warning free. Nothing will last as long as you want it to.

  6. #6
    Keychain exploit in the wild?
    MacInWin's Avatar
    Member Since
    Jan 01, 2009
    Location
    Winchester, VA
    Posts
    6,775
    Your Mac's Specs
    MBP 15" Mid 2015, iPhone 11 Pro, an iMac, plus ATVs, AWatch, MacMini
    Rep Power
    27
    I don't see the threat. Yes, this guy has demonstrated that if the thief is logged into my system (I use a very powerful password for that), and if he/she has installed the KeySteal code on my machine (needing my Admin password to install it, another strong pass phrase) then he can get my passwords. But he's already got my password and my admin pass phrase just to get to where he can run KeySteal, so what is the threat? Just use the admin password and Keychain Access directly.
    Jake

  7. #7
    Keychain exploit in the wild?
    Cr00zng's Avatar
    Member Since
    Jan 01, 2014
    Posts
    338
    Your Mac's Specs
    MacBookPro 13 v11.1, i5 2.4 GHz, 256 GBs SSD, 8 GBs DDRs
    Rep Power
    6
    Quote Originally Posted by chscag View Post
    The update to macOS that was released on Feb 7 was 10.14.3. Anything else is still in beta and undergoing testing. But I agree, sometimes Apple can be difficult to deal with.
    My bad, the version is 10.14.3 on my macOS...

  8. #8
    Keychain exploit in the wild?
    Cr00zng's Avatar
    Member Since
    Jan 01, 2014
    Posts
    338
    Your Mac's Specs
    MacBookPro 13 v11.1, i5 2.4 GHz, 256 GBs SSD, 8 GBs DDRs
    Rep Power
    6
    Quote Originally Posted by MacInWin View Post
    I don't see the threat. Yes, this guy has demonstrated that if the thief is logged into my system (I use a very powerful password for that), and if he/she has installed the KeySteal code on my machine (needing my Admin password to install it, another strong pass phrase) then he can get my passwords. But he's already got my password and my admin pass phrase just to get to where he can run KeySteal, so what is the threat? Just use the admin password and Keychain Access directly.
    I agree with you, but...

    In the video, the KeySteal app is a full blown app with GUI. What if the KeySteal code converted in to a script, with no actual notification to the end user, for remote exploit via the browser or any other means? From my perspective, that's possible as long as the vulnerability utilized by this app exists. I hope not...

  9. #9
    Keychain exploit in the wild?
    MacInWin's Avatar
    Member Since
    Jan 01, 2009
    Location
    Winchester, VA
    Posts
    6,775
    Your Mac's Specs
    MBP 15" Mid 2015, iPhone 11 Pro, an iMac, plus ATVs, AWatch, MacMini
    Rep Power
    27
    Sure, but that is a what, if, maybe, could, possible, threat. The ACTUAL threat is probably really low. I have a lot more things to worry about than a maybe, could, possibly, if, threat. Would I prefer that there not be a hole in Keychain? Sure, and I'm also sure Apple will plug that hole. But in the meantime, using a VPN, strong passwords and pass phrases and good browsing habits will keep me as safe as I can be.
    Jake

  10. #10
    Quote Originally Posted by chscag View Post
    The update to macOS that was released on Feb 7 was 10.14.3. Anything else is still in beta and undergoing testing. But I agree, sometimes Apple can be difficult to deal with.
    Sorry, is this confirming that Apple patched this keychain exploit on Feb 7 in release 10.14.3?

    Regardless, has this been appropriately patched by Apple as yet?

  11. #11
    Keychain exploit in the wild?
    MacInWin's Avatar
    Member Since
    Jan 01, 2009
    Location
    Winchester, VA
    Posts
    6,775
    Your Mac's Specs
    MBP 15" Mid 2015, iPhone 11 Pro, an iMac, plus ATVs, AWatch, MacMini
    Rep Power
    27
    FYI, macOS is up to 10.14.5 now. Have no idea about what got patched.
    Jake

  12. #12
    Keychain exploit in the wild?
    pm-r's Avatar
    Member Since
    Oct 16, 2010
    Location
    Brentwood Bay, BC, Canada
    Posts
    12,292
    Rep Power
    20
    FYI, macOS is up to 10.14.5 now. Have no idea about what got patched.

    According to reports such as these, I'm sure Apple has everything well under control by now, at least I would expect so:
    Researcher provides Apple with details (and fix) for Keychain flaw
    BY KILLIAN BELL • 5:16 AM, MARCH 4, 2019
    Researcher provides Apple with details (and fix) for Keychain flaw

    And Wired says yes, all fixed:
    LILY HAY NEWMAN SECURITY
    06.01.1905:00 AM
    THE TRICKY SHENANIGANS BEHIND A STEALTHY APPLE KEYCHAIN ATTACK

    Dubbed KeySteal, the attack called attention to the fact that the macOS keychain makes a very attractive target for hackers. Apple patched the flaw that KeySteal was exploiting at the end of March.
    The Shenanigans Behind a Stealthy Apple Keychain Attack | WIRED

    So, all done, just carry on.



    - Patrick
    ======

  13. #13
    Quote Originally Posted by pm-r View Post
    According to reports such as these, I'm sure Apple has everything well under control by now, at least I would expect so:
    Researcher provides Apple with details (and fix) for Keychain flaw
    BY KILLIAN BELL 5:16 AM, MARCH 4, 2019
    Researcher provides Apple with details (and fix) for Keychain flaw

    And Wired says yes, all fixed:
    LILY HAY NEWMAN SECURITY
    06.01.1905:00 AM
    THE TRICKY SHENANIGANS BEHIND A STEALTHY APPLE KEYCHAIN ATTACK


    The Shenanigans Behind a Stealthy Apple Keychain Attack | WIRED

    So, all done, just carry on.



    - Patrick
    ======
    I've had keychain disabled for a long time now having already read some of the issues flagged in this article (Thx Patrick) and from other sources. However this article points out that because of the seamless integration of keychain with the mac OS, it may still be saving many of my passwords. I'm interested to know what kinds of passwords it saves under these circumstances. Does it just save passwords entered for local content (apps etc.) or just web entered password in Firefox/Safari etc? or both? What about your Login password? Does it get saved too?

    Regards,

    Macced

  14. #14
    Keychain exploit in the wild?
    pm-r's Avatar
    Member Since
    Oct 16, 2010
    Location
    Brentwood Bay, BC, Canada
    Posts
    12,292
    Rep Power
    20
    I'm interested to know what kinds of passwords it saves under these circumstances.

    Why not open it up and have a look at the various entries you have in there.

    Any names or password it contains should give you a pretty good idea of what you might have saved in there and what might have been used to put them there.

    Then there'e awways google to use for searching on more technical data and how it all works.

    If you've ever had any problems with Keychain Access I think you'd have some pretty good respect on its protection integrity and how it works to protect you.


    Why not open it and read some of its Help topics starting with the About Keychain Access thread.



    - Patrick
    ======

  15. #15
    Keychain exploit in the wild?
    Randy B. Singer's Avatar
    Member Since
    Feb 01, 2011
    Location
    Sacramento, California
    Posts
    1,614
    Rep Power
    12
    This entire thread was about a "potential vulnerability", not an exploit. As I've explained before, potential vulnerabilities are of no concern to end users and there is absolutely no reason to get worked up about them.

    The thing is, new potential vulnerabilities are found in operating systems constantly. You can go to certain Web sites and see a list of them as they are found (for *any* operating system). Apple has internal Web pages with lists of them as they are found and they prioritize which ones need a more or less urgent time frame for dealing with it.

    New potential vulnerabilities have ZERO relevance to end users. Why? Because until they are exploited (i.e. malware is written to take advantage of them), they present no problem to end users. And it is extremely likely that each and every potential vulnerability will NEVER be exploited.

    Once a new potential vulnerability is found, a race is, figuratively speaking, on between the developer to patch it, and sociopaths who write malware to exploit the potential vulnerabilty. In this race, the developer has a huge advantage. First because it's usually way easier and faster, to patch an OS than it is to create a successful exploit. (Exploits tend to be fairly complex.) And second, an exploit doesn't just take a long time to create, it usually costs the bad guys a lot of money to create them. So, as you can guess, the bad guys are at quite a disadvantage at this. Especially since if they fail to create a viable exploit in time to take advantage of the potential vulnerability before it is patched, they may never realize any ill-gotten gains from their exploit and they may end up deeply in debt. (Most exploits these days are written to swindle money out of users.)

    Add to this that the sociopaths who write exploits (malware) KNOW that Apple is very good about patching the Mac OS for security purposes when necessary. So they don't have a huge incentive to jump on any potential vulnerability unless they are the only ones that know about it (which means Apple doesn't know to patch it preemptively). This is rarely the case. There are "white-hat" hackers who look for potential vulnerabilities and report them to Apple for just this reason.

    So...all of this is, at best, academic to end users. It will more than likely never effect them. It's nice fodder for anti-virus companies to use to try and scare you into purchasing anti-virus software that you don't need. But it isn't something that end users even have to think about.
    Randy B. Singer
    Co-author of The Macintosh Bible (4th, 5th, and 6th editions)
    Mac OS X Routine Maintenance http://www.macattorney.com/ts.html

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Similar Threads

  1. iCal gone wild!
    By macmanlondon in forum macOS - Apps and Games
    Replies: 1
    Last Post: 07-25-2012, 05:07 PM
  2. Man vs. Wild is not as advertised...
    By TheCustomer99 in forum Schweb's Lounge
    Replies: 9
    Last Post: 07-26-2007, 08:51 PM
  3. ADs gone wild!
    By eric in forum Community Suggestions and Feedback
    Replies: 20
    Last Post: 04-19-2007, 08:52 PM
  4. mouse going wild
    By thadoggfather in forum Other Hardware and Peripherals
    Replies: 2
    Last Post: 05-11-2006, 12:19 AM

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •