“Apple today released a supplemental update to macOS Sierra 10.13, the first update to the macOS High Sierra operating system that was released to the public in late September,” Juli Clover reports for MacRumors. “The macOS High Sierra 10.13 update comes just over one week after the release of macOS High Sierra.”
“The supplemental macOS High Sierra 10.13 update addresses a software vulnerability that could expose the passwords of encrypted Apple File System volumes in plain text in Disk Utility,” Clover reports. “Apple has released a support document alongside the Supplemental Update that walks users through the process of protecting their data if macOS High Sierra is showing a password instead of a password hint on an encrypted APFS volume.”
Clover reports, “A separate security support document says that the update also fixes a vulnerability that could let a hacker steal the usernames and passwords of accounts stored in Keychain using a malicious third-party app.”
Read more in the full article here.
MacDailyNews Note: The update can be downloaded using the Software Update function in the Mac App Store. If you are installing High Sierra from the Mac App Store for the first time, Apple has already updated the download to include the changes contained in the supplemental update.
for a supplemental update it seems worth mentioning that it is very heavy at 915MB…
WARNING — if you are using NVidia’s web drivers for aftermarket display solutions in a Mac Pro/Hackintosh, do NOT install this update yet. It will throw your machine into an endless cycle of panics and reboots as soon as it starts to load the drivers. If this happens, you need to remove or otherwise disable the video card in order to boot.
Ouch, Thats bad. But if you are using such a video card, you should have a Apple compatible one as backup.
Of course. The problem is that normally the drivers just get disabled on an update; here they cause a kernel panic that precludes even using the stock card until you remove the NVidia one.
Why the goofy name of ‘Supplemental Update’? It’s a SECURITY UPDATE. That’s why Apple lists it among its other security updates.
https://support.apple.com/en-us/HT208165
What’s annoying is that CVE-2017-7150, the exploit of Keychain discovered by Patrick Wardle, exists in all previous versions of macOS as well! So where’s the security update for those systems? Huh Apple?
Considering that macOS 10.13 High Sierra is considerably not ready for prime time…
(APFS remains unfinished for Fusion Drives and its standard was set too late for file system repair utility developers to match the release date of 10.13)
…WHY is Apple providing important macOS security updates ONLY for High Sierra?
Twice today I am inspired to apply the Apple Prod:
Umm… this update only applies to image creation in APFS. It was a simple textbox binding issue, not a deep flaw in Keychain Access or the “login” keychain (which is by definition open when you’re logged in anyway!)
Providing updates to anything other than 10.13 for this issue is nonsensical.
Reading comprehension would help.
This fixes TWO bugs: one in Disk Utility, and the other a serious Keychain “vulnerability that could let a hacker steal the usernames and passwords of accounts stored in Keychain using a malicious third-party app.”
The second item is not only in the linked-to article, but is even quoted above in the MDN excerpt.
Before you correct another post, it helps to not be wrong in your correction. Derek was correct. You weren’t.
Incorrect. I don’t comprehend what you’re talking about, but it has nothing to do with CVE-2017-7150.
This is what I’M talking about, as quoted from Apple:
Security
Available for: macOS High Sierra 10.13
Impact: A malicious application can extract keychain passwords
Description: A method existed for applications to bypass the keychain access prompt with a synthetic click. This was addressed by requiring the user password when prompting for keychain access.
CVE-2017-7150: Patrick Wardle of Synack
Here is Patrick’s only public release of information on the subject:
As Patrick points out in his tweet thread, this exploit is possible in ALL versions of macOS.
So Apple came out with what amounted to an emergency “Supplemental Update” yesterday to address the disgusting performance issues with 10.13. I Never had to implement such an update just a couple days after release. An Indesign Cursor Bug? You Mean No Beta Testers caught this? They should have just waited until November when staff is done moving into new HQ. It’s so obvious from the description posted yesterday that the Ball was dropped on this. I’m very disgusted because I basically lost a whole week of productivity not being able to operate at peak or normal conditions. I should send them an invoice. I had to postpone 2 Website Jobs because Macs were crashing 2-3 times a day. Hope this works.
Seeing flakiness AFTER the update.
When external APFS Disks are awakened/called after inactivity they sometimes show as mounted disk images instead of mounted drives- or not at all.
Reboot and it is restored.
Hope someone at Apple sees this, I sent a Message to them through Social Media describing this issue.