Apple Releases macOS High Sierra 10.13 Supplemental Update With Fix for APFS Disk Utility Bug and Keychain Vulnerability

[Williesleg]

What's troubling is that Apple stores your passwords unencrypted or has a way to decrypt them.

That's inexcusable.

Normally when you key in a password on any sane operating system, it encrypts what you keyed in with an one-way encryption algorithm. Then it compares the encrypted string vs. what's stored encrypted. That's the way it's supposed to work.

What this says is that Apple either chooses to ignore that, or doesn't care. Either way, the cat's out of the bag, there's a way for Apple to see or recover your password easily.

 

[J.Dillinger]

Is anyone else's Sharing preference pane option greyed out after this update?

 

[mwined]

What's troubling is that Apple stores your passwords unencrypted or has a way to decrypt them.

That's inexcusable.

Normally when you key in a password on any sane operating system, it encrypts what you keyed in with an one-way encryption algorithm. Then it compares the encrypted string vs. what's stored encrypted. That's the way it's supposed to work.

What this says is that Apple either chooses to ignore that, or doesn't care. Either way, the cat's out of the bag, there's a way for Apple to see or recover your password easily.

What is troubling is the inability of some folk to actually read and comprehend the technical details of how a thing works.
This is an issue with "Disk Utility.app", and effects those that "added" an encrypted APFS volume with a password hint, using Disk Utility.app, after installing the release version of High Sierra.
The password is not "stored" unencrypted, unless you added an encrypted APFS volume using Disk Utility.app - with a password hint, after installing the release version of High Sierra. Even then it is merely -- at the time of clicking the button to initiate the encryption -- copying a text string that has not yet been encrypted (but hidden by dots) to the Hint field.

Should the OS have been released without this bug? Yes.
Did it actually effect you or your boot volume? Not unless you like doing things the hard way.
If you have added an encrypted APFS volume, install the supplemental update on your boot volume, and follow the instructions to remediate the password in the hints field for that added volume.

All that said, I'm sure there are some that won't be able to read past the first sentence of my reply before the outrage machine starts typing.

 

[upandown]

I bet they didn't even call a meeting. Craig just forwarded the bug report out in an email with a pink background.

I think its about the same? Hard to say

 

[steve333]

How come High Sierra is not showing up in App Store updates? I have a 2011 Mini so shouldn't it be asking me to upgrade from Sierra?

 

[jbachandouris]

Well, 8:30PM EST and the update still not showing in the app store.
10.13.1 Beta

 

[lkrupp]

Apple being trashed for releasing a bug fix. Only on MacRumors.

 

[algengler]

Does anyone know if the update is included in the High Sierra download from Apple and if so does it fix any of the install issues that forced many to restore from backup back to Sierra.

 

[MrChurchyard]

What's troubling is that Apple stores your passwords unencrypted or has a way to decrypt them.

That's inexcusable.

Normally when you key in a password on any sane operating system, it encrypts what you keyed in with an one-way encryption algorithm. Then it compares the encrypted string vs. what's stored encrypted. That's the way it's supposed to work.

What this says is that Apple either chooses to ignore that, or doesn't care. Either way, the cat's out of the bag, there's a way for Apple to see or recover your password easily.

Nah
This is not about the user’s system password not being hashed (or “encrypted” as you call it), this is about passwords stored in the password manager (Keychain). Being able to read the passwords stored in your password manager is pretty much the the point of a password manager like Keychain.

 

[JeffyTheQuik]

...fixes a cursor graphic bug in Adobe InDesign

HURRAH! That was v quick. Thought we'd wait a couple of months for that - kudos to Apple for the speed of this update.

I was thinking back to my Microsoft days, and there would be a work around that said something like:
"A way to keep others from seeing the password, put a post-it note, or other blocking device on your screen. While this may not help all users, when the testing on the fix comes, we will commandeer your computer, force the fix on you, and if you're not there, reboot your computer without your permission, and you'll lose all the open work on your desktop."

 

[dempson]

Weird... Still not showing up in software update for me on my 2016 MB Pro 15" with 10.12.6..... Hope that's not a bad sign?

This supplementary update is only for Macs already running 10.13.0, so it won't show up for Macs running 10.12.6.

At some point (probably coinciding with the release of 10.13.1 if not sooner) there will be a security update for 10.12.6, which will hopefully include the fix for the keychain issue. The Disk Utility issue doesn't affect 10.12.6 as it was a bug in a new feature introduced in the 10.13 version of Disk Utility (creating an encrypted APFS volume).

How come High Sierra is not showing up in App Store updates? I have a 2011 Mini so shouldn't it be asking me to upgrade from Sierra?

Apple stopped pushing new version notices to older OS versions when High Sierra was released, which also means the "Free Upgrade" banner at the top of the Updates tab in App Store has disappeared. If you want to get High Sierra now, you can do so via the Featured tab in App Store.

At some point (perhaps 10.13.1), Apple will reactivate the Free Upgrade banner, and those on older OS versions can resume getting annoyed about the pushed notices.

Does anyone know if the update is included in the High Sierra download from Apple and if so does it fix any of the install issues that forced many to restore from backup back to Sierra.

The supplementary update was included in a new download of the High Sierra installer I got from App Store a few hours ago (the "Install macOS High Sierra.app" version is 13.0.66 instead of 13.0.64, and the system it contains is build 17A405 instead of the original 17A365). Timing of its availability may vary depending on how quickly it gets to each node of the worldwide distributed network of servers.

No idea about install issues as I haven't encountered them but it does claim to make the installer more robust.

 

[MacGizmo]

Has anyone running the public beta (17B25c) been able to get this update, or is it supposed to already be included in the beta? I suspect that another public beta update will be coming with this minor update included... but I thought I would ask around here.

[Update] Sorry, I didn't see earlier posts from people asking the same question, and saying that NO, the patch is NOT included in the public beta. Hopefully Apple releases public beta 2 very soon with this patch included.

 

[jdillings]

I hereby decree today Patch Thursday. Please join me in looking forward to Patch Tuesday and Patch Thursday every week from here on out.

 

[ke-iron]

Ok eff this. I want to know why my brand new 2017 MacBook Pro with Touch Bar running high Sierra, Siri still does not have the new natural voice that my iPhone has. WTH, Apple is really slacking these days.

 

[wbeasley]

Have they fixed the bug where files larger than 2gig can't copy over to an external USB? My movie rips used to work fine in Sierra, no error all the time. Take the external disks offline and use a Windows PC to copy the large files. Grrrrr. (Well at least my old Windows laptop has come in handy for something... hahaha)

 

[tromboneaholic]

I am so confused, I just applied the update. Do I need to do anything else?

Use your computer.

 

[BenTrovato]

I started the update with my 2017 MBP 13" connected to a TB display with a dongle. The update has been stuck at time remaining "About a minute" for 45m now. I unplugged the TB display and the screen switched back to the MBP, cursor is active, but the status bar is only 1/8th the way across and stuck. Ugh.

I'm encrypted with FileVault FWIW.

Anybody else have issues like this? I have some meetings and can let it run for another 2 hours, but I'm fearing bad things if I force-reboot..

I guess that’s why I asked. The High Sierra upgrade was the first time I couldn’t upgrade the OS with an external monitor. Was wondering if they fixed that. I guess it only works with no dongles or external displays.

 

[tromboneaholic]

Have they fixed the bug where files larger than 2gig can't copy over to an external USB? My movie rips used to work fine in Sierra, no error all the time. Take the external disks offline and use a Windows PC to copy the large files. Grrrrr. (Well at least my old Windows laptop has come in handy for something... hahaha)

I just copied a 2.3 GB zip.

 

[pat500000]

Apple being trashed for releasing a bug fix. Only on MacRumors.

Maybe if MR start making articles of the things that needs to be fixed, I'm sure Apple people will read those articles that needs to be fixed.

 

[mr_vinjah]

I guess that’s why I asked. The High Sierra upgrade was the first time I couldn’t upgrade the OS with an external monitor. Was wondering if they fixed that. I guess it only works with no dongles or external displays.

Just to followup, I the installer was stuck on the black screen with white apple after 2 more hours so I force-shutdown. Upon reboot I was given the login window, then during my user login process (with user avatar and blurred desktop image), it got halfway through then said "completing install". After about 10m I was in the Finder and all seemed ok, except that the update was not actually applied (it seemed) as it showed up in App Store Updates and verified older build number. Will try again tomorrow, but at least I wasn't bricked.

 

[Ritmo]

At least Apple has been responsive, as the APFS vulnerability was just revealed within the past day.

Nope, the guy published it a weak ago and mentioned that he reported it to Apple. https://medium.com/@matheusmariano/...d-of-an-encrypted-apfs-container-b4f2f5326e79

 

[cult hero]

People have got to stop calling this an APFS vulnerability. It's not. It was a bug in Disk Utility.

This bug seems consistent with Disk Utility too, a program that gets worse and less useful with every... single... update. I have started just using the command line tools for managing disks for purposes other than a quick format. Try partitioning a USB flash stick through Disk Utility because... why would anyone want to do that?
[doublepost=1507268275][/doublepost]

I started the update with my 2017 MBP 13" connected to a TB display with a dongle. The update has been stuck at time remaining "About a minute" for 45m now. I unplugged the TB display and the screen switched back to the MBP, cursor is active, but the status bar is only 1/8th the way across and stuck. Ugh.

I'm encrypted with FileVault FWIW.

Anybody else have issues like this? I have some meetings and can let it run for another 2 hours, but I'm fearing bad things if I force-reboot..

I'm encrypted with FileVault and did the update while connected to my LG 5K (TB3). No issues here.

I try to avoid force reboots but... sometimes... ugh.

 

[Jaekae]

Will it fix the massive battery drain on my iPhone due to iOS 11? Sorry, wrong forum.

I have same battery length

 

[votdfak]

Someone will complain about having to install updates. They'd rather have Microsoft which would wait to patch a security issue because it's not part of their update release schedule. There were a number complaining of recent iOS updates in this way.

Because iOS 11 is the buggiest **** ever. Never ever had to reboot phone this much.

 

[ItWasNotMe]

Seems to have fixed Yahoo mail, but now my Gmail is broken