macOS High Sierra Update Fixes Password Reveal Vulnerability

Apple has issued a supplemental update to macOS High Sierra on Thursday after two significant security flaws were discovered and reported to the company.

macOS High Sierra 10.13 Supplemental Update is now available as a free download for all users with a compatible Mac. It can be downloaded via Software Update in the Mac App Store. It primarily two significant security flaws. In addition to the supplemental update, Apple has also modified the base version of macOS High Sierra to protect users who haven’t upgraded yet.

The first issue exists within the Disk Utility tool and was first discovered by Brazil-based developed Matheus Mariano, who published an article detailing the bug on Medium. The bug affects passwords on encrypted Apple File System (APFS) volumes within the Disk Utility app. Mariano also uploaded a video to YouTube showing off the vulnerability (which you can view below) and reported the bug to Apple.

The security glitch works like this: when you add a new APFS volume to a container within Disk Utility, you’re able to encrypt the volume with a password and hint. Except, the next time you’re required to input that password to access the volume, clicking on the Show Hint button will reveal the password in plaintext, rather than the password hint.

German developer Felix Schwarz also managed to successfully replicate the bug and shared a video of his particular experience on Twitter. According to additional tweets within the Twitter thread, the vulnerability seems tied to a bug within Disk Utility. Apparently, the tool inadvertently sets the password as the password hint, which allows it to be viewable in plaintext.

While the issue is believed to only affect Macs with SSD storage, and Schwarz says users who don’t use Disk Utility are safe, it’s still a significant security flaw. It could be especially dangerous for Mac owners who use the same password across a variety of services, apps and websites.

Apple has also released a support document that details the process of protecting a user’s data if they believed it has been compromised. The steps include installing the new update, creating an encrypted backup of data, wiping the drive, reformatting to APFS, and restoring the backed-up data.

macOS High Sierra 10.13 also fixes a significant flaw that could allow attackers to compromise usernames and passwords stored in Apple’s Keychain using third-party malicious code, according to a separate support document included alongside the update.

The update also includes some non-security related improvements, including a more robust installer as well as fixes for UI glitches within Adobe InDesign and an issue in Mail that prevented emails from Yahoo accounts from being deleted.

Since the security flaws are significant, it’s recommended that all Mac owners running macOS High Sierra upgrade to the new supplemental update.