Apple Security Advisory 2017-10-05-1 - macOS High Sierra 10.13 Supplemental Update is now available and addresses a password hint issue and keychain extraction vulnerabilities.
ba18157b0ddad8def7a6b9f8b593aefe7b6bf640e60a4ebe23e2efed83ae9885-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
APPLE-SA-2017-10-05-1 macOS High Sierra 10.13 Supplemental Update
macOS High Sierra 10.13 Supplemental Update is now available
and addresses the following:
StorageKit
Available for: macOS High Sierra 10.13
Impact: A local attacker may gain access to an encrypted APFS volume
Description: If a hint was set in Disk Utility when creating an APFS
encrypted volume, the password was stored as the hint. This was
addressed by clearing hint storage if the hint was the password, and
by improving the logic for storing hints.
CVE-2017-7149: Matheus Mariano of Leet Tech
Security
Available for: macOS High Sierra 10.13
Impact: A malicious application can extract keychain passwords
Description: A method existed for applications to bypass the
keychain access prompt with a synthetic click. This was addressed by
requiring the user password when prompting for keychain access.
CVE-2017-7150: Patrick Wardle of Synack
New downloads of macOS High Sierra 10.13 include the security
content of the macOS High Sierra 10.13 Supplemental Update.
Installation note:
macOS High Sierra 10.13 Supplemental Update may be obtained from the
Mac App Store or Apple's Software Downloads web site:
https://www.apple.com/support/downloads/
Information will also be posted to the Apple Security Updates
web site: https://support.apple.com/kb/HT201222
This message is signed with Apple's Product Security PGP key,
and details are available at:
https://www.apple.com/support/security/pgp/
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - https://gpgtools.org
iQIcBAEBCgAGBQJZ1muIAAoJEIOj74w0bLRGK4YP/0po4Tefgarlu0uLyWAxst/6
KTtHK6sJs7wE0nsGJV1SUrKCLtuKo82mOkLJU5a7iS2qBcCLZVFr63HlG6nPDsJU
mTfEGcUoVJMLy8BvkHxuQKA9h/4dymZ+4irQZ6ZxUKWYSIBowf0p2oWmwjxKY3v1
BNRx7bLnJH3bOej2EZbwGUVUMVWxlnGTeHQwGNrSoHlWQayZy/S9mJQRFlG8UlrQ
C3EH8PxMNJKQuClP5WutREFzoY5uod4v24yFwlz1OdnyNhafprQnRUJaFlpiD0Fi
oVf4OnuPOxI1txZ+QIN3virg3/TI/uLKYFpVatrw/sBiFPPD1W3PSHTGF3LtXAVf
WFx7OQpAw/IFir2UZXMoOzMA7jrKgROn393/utbNVemoeUlr0SwG83zTsL/fmLGB
m0u2PhHgUvTkGmTrdf8DCr1RCs20Q1KahkScUT3iBFoEGP+Tqy1PTgXb+2KFGKL3
nA8r7fWu1aFRu/rLUPO+cs46Y1LSqxmgYlYE1B2W5mpO03EUyNzq3aoI68s97+UI
xka2V//xbhFTok4r08bLKK+KvNC2qan6MyMEqqp9PNsWOTtUoEw1EJTrQoQkMkjp
/qPFwGe6LDOtxWDB1LMC80Ruto3CiSbkmLN6D9XLYKQnbuJSQiioU/VWIG5EN+lC
+olewerlqcRryeVWc4IM
=Frfq
-----END PGP SIGNATURE-----
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed