Hello, welcome to the Tuesday, September 26, 2017 edition of the Sandinet Stormson, Stormcast. My name is Johannes Ulrich,

and I'm recording from Baltimore, Maryland. Apple on Monday released MagOS High Sierra, the next version of Mac OS.

Actually, originally I thought it was scheduled for today, for Tuesday,

but apparently was released sort of a day early, and with that, of course, we also received

respective security updates. The security updates affect a number of open source components.

That has always been a little bit of problem with Apple

products that they do use a lot of open source components that are often patched much later

than the open source components originally were patched, which of course leads to a window here

where a vulnerability is known but a patch

is not necessarily available for the respective OS 10 version but overall I didn't really

see anything super critical jump out at me and there was an update for OS 10 server or

macOS server 5.4 as well it only fixes one more ability and that's the

free radius issue yet again an issue that was patched the open source world a while ago and in

addition we got a new version of iCloud for Windows 7 and later.

Now, as MacOS High Sierra was released, Patrick Wardle,

who's respected security researchers at Objectivez.com,

he released a possible vulnerability in macOS Sierraierra as well as high sierra the particular vulnerability

allows unsigned code to actually exfiltrate the keychain without requesting a password so the macOS

keychain is essentially your iCloud passwords. This is the built-in password safe that you get with macOS, and it already existed in earlier versions of OS 10. Typically, when software accesses this keychain, you would expect a prompt.

Now, there was an earlier exploit from about a year ago that allowed AppleScript to be used to acknowledge the prompt.

Because all the user has to do is just click allow.

Well, this was actually fixed and that's no longer possible, but apparently

...