macOS 10.13 Supplemental Update
Yesterday Apple released a macOS 10.13 supplemental update (no change to the version number). It addresses two serious security issues. Last week we wrote about a potentially serious vulnerability in Apple’s Keychain security in macOS. The Keychain is where all of your passwords are stored and it is where they are supposed to be protected.
The exploit was discovered by Patrick Wardle, a former NSA hacker who demonstrated the hack in a video he posted. Particularly bitting was finding out that this vulnerability has been there in macOS in a number of previous versions.
Steps To Vulnerability
Before a hacker could gain access to your Keychain he would need three things from an unsuspecting user.
- Download an Unsigned App
- Install the Unsigned App and
- Run it
The app could appear to be perfectly safe and harmless. But once it is running a hacker can see all your passwords as plain text.
Apple’s Initial Response
Apple’s initial response to the matter at the time this was brought to light left some uncertainty as to whether it would be addressed anytime soon.
“MacOS is designed to be secure by default, and Gatekeeper warns users against installing unsigned apps, like the one shown in this proof of concept, and prevents them from launching the app without explicitapproval. We encourage users to download software only from trusted sources like the Mac App Store, and to pay careful attention to security dialogs that macOS presents.”
Here it is a week later and Apple has released a supplemental update for macOS 10.13. As usual, the update is free to all Mac users with compatible hardware. This update addresses another serious issue.
Disk Utility Reveals Password
This issue involves Disk Utility and the new Apple File System (APFS). A software developer from Brazil, Matheus Mariano found that from Disk Utility you could expose passwords for Apple File System Volumes.
When you mount the volume and are expected to enter a password to gain access to the volume, the dialog box displays a “Show Hint” button. If you selected the Show Hint button the plain text password would be displayed rather than the Hint.
Apple provides more information and instructions on how to address this issue here.
I was not personally impacted by either of these issues. But I feel a little more secure after running the latest update.