macOS High Sierra 0-Day Released Hours Before Launch

September 28, 2017
Kevin Lam

A security researcher (and by the way ex-NSA guy) named Patrick Wardle released an exploit that enables attackers to exfiltrate passwords from macOS reportedly hours before Apple released their new operating system macOS High Sierra.

http://www.zdnet.com/article/apple-macos-high-sierra-password-vulnerable-to-password-stealing-hack

There’s no point in discussing whether releasing the exploit without a patch available was responsible or not. Wardle apparently reported the vulnerability to Apple a month earlier. I am sure Wardle has his reasons for doing this and Apple had their reasons for not implementing a patch.

I will say though as a fellow security researcher that these types of exploits, one where you can extract supposedly protected information from protected stores, are really interesting — because essentially all other security sub-systems are built on top of these security platforms. Hopefully, Apple gets this patched soon.

–Kevin