Keychain exploit in the wild?

If a video of keychain exploit available on Youtube, it's pretty safe to say that it is in the wild already...


Is there a timeframe for Apple to patch this vulnerability?

I believe Apple is already aware of the vulnerability but have not heard of any forthcoming patches or fixes. We will add on to this thread if we hear anything.

Apparently, the individual who discovered this exploit or vulnerability is refusing to disclose it to Apple because he's unhappy with Apple's policy of rewarding bug exploit finders who discover the nasties only in iOS and not macOS.

The whole saga of this sounds childish and silly. You can read more on this by doing a google search for "keychain exploit".

Well, the 10.14.4 version released on February 7th has addressed Face Time, CVE-2019-7286 and CVE-2019-7287 vulnerabilities, privilege escalation and arbitrary code execution respectively. Maybe it had been addressed already...

The fact that Apple specifies Face Time, but not keychain in their HT209520 makes me doubt that this vulnerability had been addressed in 10.14.4.

As for childish...

The "kid" has a point, even if I don't agree with the way he expresses it. He could also sell this exploit to number of exploit broker, like Zerodium, for substantially more than whatever the Apple reward might be for macOS exploit. To my knowledge, he did not as of yet at least. There's that...

The update to macOS that was released on Feb 7 was 10.14.3. Anything else is still in beta and undergoing testing. But I agree, sometimes Apple can be difficult to deal with.

chscag said:

The update to macOS that was released on Feb 7 was 10.14.3. Anything else is still in beta and undergoing testing. But I agree, sometimes Apple can be difficult to deal with.

Click to expand...

Only Apple?

Some people prefer to complain a lot louder about Apple, because of their success, and the way they prefer to keep their environment secured.

I don't see the threat. Yes, this guy has demonstrated that if the thief is logged into my system (I use a very powerful password for that), and if he/she has installed the KeySteal code on my machine (needing my Admin password to install it, another strong pass phrase) then he can get my passwords. But he's already got my password and my admin pass phrase just to get to where he can run KeySteal, so what is the threat? Just use the admin password and Keychain Access directly.

chscag said:

The update to macOS that was released on Feb 7 was 10.14.3. Anything else is still in beta and undergoing testing. But I agree, sometimes Apple can be difficult to deal with.

Click to expand...

My bad, the version is 10.14.3 on my macOS...

MacInWin said:

I don't see the threat. Yes, this guy has demonstrated that if the thief is logged into my system (I use a very powerful password for that), and if he/she has installed the KeySteal code on my machine (needing my Admin password to install it, another strong pass phrase) then he can get my passwords. But he's already got my password and my admin pass phrase just to get to where he can run KeySteal, so what is the threat? Just use the admin password and Keychain Access directly.

Click to expand...

I agree with you, but...

In the video, the KeySteal app is a full blown app with GUI. What if the KeySteal code converted in to a script, with no actual notification to the end user, for remote exploit via the browser or any other means? From my perspective, that's possible as long as the vulnerability utilized by this app exists. I hope not...

Sure, but that is a what, if, maybe, could, possible, threat. The ACTUAL threat is probably really low. I have a lot more things to worry about than a maybe, could, possibly, if, threat. Would I prefer that there not be a hole in Keychain? Sure, and I'm also sure Apple will plug that hole. But in the meantime, using a VPN, strong passwords and pass phrases and good browsing habits will keep me as safe as I can be.

chscag said:

The update to macOS that was released on Feb 7 was 10.14.3. Anything else is still in beta and undergoing testing. But I agree, sometimes Apple can be difficult to deal with.

Click to expand...

Sorry, is this confirming that Apple patched this keychain exploit on Feb 7 in release 10.14.3?

Regardless, has this been appropriately patched by Apple as yet?

FYI, macOS is up to 10.14.5 now. Have no idea about what got patched.

FYI, macOS is up to 10.14.5 now. Have no idea about what got patched.

Click to expand...

According to reports such as these, I'm sure Apple has everything well under control by now, at least I would expect so:
Researcher provides Apple with details (and fix) for Keychain flaw
BY KILLIAN BELL • 5:16 AM, MARCH 4, 2019
Researcher provides Apple with details (and fix) for Keychain flaw

And Wired says yes, all fixed:
LILY HAY NEWMAN SECURITY
06.01.1905:00 AM
THE TRICKY SHENANIGANS BEHIND A STEALTHY APPLE KEYCHAIN ATTACK

Dubbed KeySteal, the attack called attention to the fact that the macOS keychain makes a very attractive target for hackers. Apple patched the flaw that KeySteal was exploiting at the end of March.

Click to expand...

The Shenanigans Behind a Stealthy Apple Keychain Attack | WIRED

So, all done, just carry on.



- Patrick
======

pm-r said:

According to reports such as these, I'm sure Apple has everything well under control by now, at least I would expect so:
Researcher provides Apple with details (and fix) for Keychain flaw
BY KILLIAN BELL • 5:16 AM, MARCH 4, 2019
Researcher provides Apple with details (and fix) for Keychain flaw

And Wired says yes, all fixed:
LILY HAY NEWMAN SECURITY
06.01.1905:00 AM
THE TRICKY SHENANIGANS BEHIND A STEALTHY APPLE KEYCHAIN ATTACK

The Shenanigans Behind a Stealthy Apple Keychain Attack | WIRED

So, all done, just carry on.



- Patrick
======

Click to expand...

I've had keychain disabled for a long time now having already read some of the issues flagged in this article (Thx Patrick) and from other sources. However this article points out that because of the seamless integration of keychain with the mac OS, it may still be saving many of my passwords. I'm interested to know what kinds of passwords it saves under these circumstances. Does it just save passwords entered for local content (apps etc.) or just web entered password in Firefox/Safari etc? or both? What about your Login password? Does it get saved too?

Regards,

Macced

I'm interested to know what kinds of passwords it saves under these circumstances.

Click to expand...

Why not open it up and have a look at the various entries you have in there.

Any names or password it contains should give you a pretty good idea of what you might have saved in there and what might have been used to put them there.

Then there'e awways google to use for searching on more technical data and how it all works.

If you've ever had any problems with Keychain Access I think you'd have some pretty good respect on its protection integrity and how it works to protect you.


Why not open it and read some of its Help topics starting with the About Keychain Access thread.



- Patrick
======

This entire thread was about a "potential vulnerability", not an exploit. As I've explained before, potential vulnerabilities are of no concern to end users and there is absolutely no reason to get worked up about them.

The thing is, new potential vulnerabilities are found in operating systems constantly. You can go to certain Web sites and see a list of them as they are found (for *any* operating system). Apple has internal Web pages with lists of them as they are found and they prioritize which ones need a more or less urgent time frame for dealing with it.

New potential vulnerabilities have ZERO relevance to end users. Why? Because until they are exploited (i.e. malware is written to take advantage of them), they present no problem to end users. And it is extremely likely that each and every potential vulnerability will NEVER be exploited.

Once a new potential vulnerability is found, a race is, figuratively speaking, on between the developer to patch it, and sociopaths who write malware to exploit the potential vulnerabilty. In this race, the developer has a huge advantage. First because it's usually way easier and faster, to patch an OS than it is to create a successful exploit. (Exploits tend to be fairly complex.) And second, an exploit doesn't just take a long time to create, it usually costs the bad guys a lot of money to create them. So, as you can guess, the bad guys are at quite a disadvantage at this. Especially since if they fail to create a viable exploit in time to take advantage of the potential vulnerability before it is patched, they may never realize any ill-gotten gains from their exploit and they may end up deeply in debt. (Most exploits these days are written to swindle money out of users.)

Add to this that the sociopaths who write exploits (malware) KNOW that Apple is very good about patching the Mac OS for security purposes when necessary. So they don't have a huge incentive to jump on any potential vulnerability unless they are the only ones that know about it (which means Apple doesn't know to patch it preemptively). This is rarely the case. There are "white-hat" hackers who look for potential vulnerabilities and report them to Apple for just this reason.

So...all of this is, at best, academic to end users. It will more than likely never effect them. It's nice fodder for anti-virus companies to use to try and scare you into purchasing anti-virus software that you don't need. But it isn't something that end users even have to think about.

Good summary, Randy!

So...all of this is, at best, academic to end users. It will more than likely never effect them. It's nice fodder for anti-virus companies to use to try and scare you into purchasing anti-virus software that you don't need. But it isn't something that end users even have to think about.

Click to expand...

Amen.

And thanks for the great summary Randy.



- Patrick
======