Apple has released a supplemental update for macOS High Sierra incorporating various bug fixes for Macs. Apple says it improves ‘installer robustness’, fixes a graphical problem with Adobe InDesign and addresses an issue with mail not sending from Yahoo accounts.

To update, open the Mac App Store and navigate to the Updates tab on a machine running macOS High Sierra.

Try Amazon Prime 30-Day Free Trial

Whilst Apple lists three very specific fixes in the release notes, the security notes indicate that the update also includes two important fixes.

One of these addresses an issue with APFS that has been circulating around the Internet today. The bug meant that some APFS volumes would reveal their password in plain text in the Disk Utility interface.

Rather than being saved into the password field, the password would be set as the ‘hint’ which is readable by anyone. You can see a demo of the problem here:

The supplemental update also includes a fix for a Keychain issue which allowed a malicious application to extract all passwords from the system it was running on.

Apple occasionally pushes out ‘supplemental updates’ for macOS when there are pressing issues that customers are hitting, but there are not enough changes to warrant a new version number (like macOS 10.13.1, which is currently in beta).

If you are installing High Sierra from the Mac App Store for the first time, Apple has updated the download to include the changes contained in the supplemental update.

As always, we’ll let you know about any other changes we see after applying the update, although we naturally do not expect to find anything substantial that isn’t already documented. High Sierra was released on September 25.

macOS High Sierra 10.13 Supplemental Update

Released October 5, 2017

StorageKit

Available for: macOS High Sierra 10.13

Impact: A local attacker may gain access to an encrypted APFS volume

Description: If a hint was set in Disk Utility when creating an APFS encrypted volume, the password was stored as the hint. This was addressed by clearing hint storage if the hint was the password, and by improving the logic for storing hints.

CVE-2017-7149: Matheus Mariano of Leet Tech

Security

Available for: macOS High Sierra 10.13

Impact: A malicious application can extract keychain passwords

Description: A method existed for applications to bypass the keychain access prompt with a synthetic click. This was addressed by requiring the user password when prompting for keychain access.

CVE-2017-7150: Patrick Wardle of Synack

New downloads of macOS High Sierra 10.13 include the security content of the macOS High Sierra 10.13 Supplemental Update.

About the Author