Apple just rolled out its new macOS High Sierra operating system but the OS is immediately hit by a zero-day exploit that allows attackers to capture passwords of a Keychain without requiring a master login password.
The zero-day was discovered by security researcher Patrick Wardle, he previously worked at the NSA but now has a position as chief security researcher at Synack. He informed Apple about the bug earlier this month, but the fix didn't make it into the launch release of High Sierra.
The exploit can be abused via unsigned apps or e-mail attachments. High Sierra is not the only version of Mac vulnerable, earlier versions of macOS and OS X have the same vulnerability.
Wardle explains he really likes macOS but blasts Apple for creating a false perception about the security of the OS:
"As a passionate Mac user, I'm continually disappointed in the security of macOS," he said. "I don't mean that to be taken personally by anybody at Apple -- but every time I look at macOS the wrong way something falls over. I felt that users should be aware of the risks that are out there I'm sure sophisticated attackers have similar capabilities."
"Apple marketing has done a great job convincing people that macOS is secure, and I think that this is rather irresponsible and leads to issues where Mac users are overconfident and thus more vulnerable," he added.