Apple made its latest OS update available Monday, but the release of High Sierra was tainted somewhat by the fact it comes replete with a critical vulnerability that allows an attacker to dump plaintext passwords from the macOS Keychain.

Researcher Patrick Wardle, chief security researcher at Synack, discovered the issue in early September and privately disclosed to Apple. The disclosure, however, did not preclude Apple from making High Sierra public yesterday. Wardle said in a post published yesterday that he expects a patch to be forthcoming.

The vulnerability is not exclusive to High Sierra; Wardle said he also tested it on Sierra, and that it appears El Capitan is vulnerable also.

Wardle did not provide specific information on the vulnerability, other than to say that non-privileged code or a malicious application could gain illicit access to the Keychain and steal passwords. He said the bar is set low in terms of ease of exploit.

Wardle emphasized too that an attacker would already have to be on a Mac machine in order to carry out his attack, and that the Keychain would have to be unlocked, which it is by default when the user logs in.

"Theoretically, this attack would be added as a capability or as a payload of such malware," Wardle wrote. "For example, the malware would persist, survey the system, then use this attack to dump the keychain."