All Posts by Date or last 15, 30, 90 or 180 days.
also by Lloyd: diglloyd.com photography and WindInMyFace.com
Thank you for purchasing through links and ads on this site.
OWC / MacSales.com...
diglloyd Deal Finder...
Buy other stuff at Amazon.com...
Handpicked deals...
$390 $270
SAVE $120

$1798 $1598
SAVE $200

$3297 $2797
SAVE $500

$3397 $2797
SAVE $600

$150 $90
SAVE $60

$1398 $898
SAVE $500

$3698 $2998
SAVE $700

$2998 $2498
SAVE $500

$1799 $1299
SAVE $500

$1999 $1199
SAVE $800

$2299 $1599
SAVE $700

$2399 $2049
SAVE $350

$2799 $2399
SAVE $400

$2799 $1899
SAVE $900

$1199 $920
SAVE $279

$997 $897
SAVE $100

$2099 $1699
SAVE $400

$1999 $1349
SAVE $650

$1999 $1599
SAVE $400

$1999 $1999
SAVE $0

$1329 $929
SAVE $400

$4499 $3999
SAVE $500

$329 $329
SAVE $0

$1499 $999
SAVE $500

$1499 $1289
SAVE $210

$2199 $1999
SAVE $200

$3399 $2199
SAVE $1200

Get up to 16x more storage and 2x the speeds of the original drive

Apple Apparently IGNORES Researcher’s Report of 0-Day Exploit for macOS KeyChain

Apple was recently embarrased for its Facetime bug in iOS and (far worse) for having a non-functional security bug reporting process.

But now it seems that this Apple has a pattern of failing to make any viable process available for reporting security bugs! Except for a small and exclusive group of researchers, a policy that without a doubt endangers Mac users (and now with two proofs of that in a month).

A reasonable person might conclude incompetence and lack of concern; the former certainly seems to be true, that latter probably not except that where is the process, publicly available process? Weeks to fix a severe problem is unacceptable to the point of disbelief.

To wit, way back on Feb 4 or so, security researcher Linus Henze reported a 0-day as discussed in Claimed 0-Day Exploit for Stealing Every Password in Your Keychain on macOS Mojave and earlier macOS, and summarized below.

As of March 1, Linus Henze has provided (for free) the bug details to Apple, with no response and without reward. How can Apple be taken seriously when it ignores severe vulnerabilities like this?

All the posturing in the world by Tim Cook to the press doesn’t fix this outrageous situation.

Summary of the 0-day

The claim by Linus Henze is:

In this video, I'll show you a 0-day exploit that allows me to extract all your keychain passwords on macOS Mojave (and lower versions). Without root or administrator privileges and without password prompts of course.

This is not the first time. You might remember KeychainStealer from @patrickwardle, released 2017 for macOS High Sierra, which can also steal all your keychain passwords. While the vulnerability he used is already patched, the one I found still works, even in macOS Mojave. I won't release this. The reason is simple: Apple still has no bug bounty program (for macOS), so blame them.

https://www.youtube.com/watch?v=nYTBZ9iPqsU

Apple talks a good PR story (congratulations to Tim Cook for his persuasion), but the bottom line is that a mind-blowing run of serious security flaws in macOS is prima facie evidence of software development incompetence chained to a calendar-based ship-it-testing-be-damned schedule.

What MPG wants to know is whether Apple acknowledges or denies this bug and (particularly important) if Apple is paying bug bounties for such stuff, so that the Bad Guys don’t get hold of it. Tim? Where’s the beef, is it a nothingburger or what?

Apple 13-inch MacBook Pro
Only $1799 $1149

8GB / 256GB SSD / 2.3 Ghz Intel Core i5

Apple Refurbished Factory Sealed
Apple 1 Year Limited Warranty
Awesome for a student!

Save the tax, we pay you back, instantly!
View all handpicked deals...

Samsung 2TB T5 Portable Solid-State Drive (Black)
$390 $270
SAVE $120

diglloyd.com | Terms of Use | PRIVACY POLICY
Contact | About Lloyd Chambers | Consulting | Photo Tours
Mailing Lists | RSS Feeds | Twitter
Copyright © 2019 diglloyd Inc, all rights reserved.
Display info: __RETINA_INFO_STATUS__