The Mac Security Blog

Security News

Apple Issues New Security Updates, Patches APFS Volume Password Bug

Posted on by

Apple software security updates

Last week, Apple released updates for all of its current operating systems and Safari web browser, as well as security updates for macOS Sierra and OS X El Capitan. These updates came with new features, functionality and security fixes and enhancements.

The following guide details what new features each updates includes, the bugs addressed—including patches for the APFS volume password bug and the QR code scanning bug—and where you can download each software update.

macOS High Sierra 10.13.4

Apple’s new macOS High Sierra 10.13.4 is listed as an update that improves the stability, performance, and security of your Mac. Following are the bug fixes and new features included in macOS High Sierra 10.13.4:

  • Adds support for Business Chat conversations in Messages in the U.S.
  • Adds support for external graphics processors (eGPUs).
  • Fixes graphics corruption issues affecting certain apps on iMac Pro.
  • Allows jumping to the rightmost open tab using Command-9 in Safari.
  • Enables sorting of Safari bookmarks by name or URL by Control-clicking and choosing Sort By.
  • Fixes an issue that may prevent web link previews from appearing in Messages.
  • Helps protect privacy by only AutoFilling usernames and passwords after selecting them in a web form field in Safari.
  • Displays warnings in the Safari Smart Search field when interacting with password or credit card forms on unencrypted webpages.
  • Displays privacy icons and links to explain how your data will be used and protected when Apple features ask to use your personal information.

The sorting of Safari bookmarks is a new feature that many Apple pro users have anticipated for nearly 15 years (about time!), as well as support for external graphics processors (eGPU’s). Unfortunately, Apple put some restrictions on their final implementation, such as compatibility only with Thunderbolt 3. There are ways around this, if you wish to experiment with these new features. The displaying of privacy icons is something I will touch on later, below.

As for security related fixes, macOS High Sierra 10.13.4 patches 31 bugs. These include:

System Preferences
Impact: A configuration profile may incorrectly remain in effect after removal
Description: An issue existed in CFPreferences. This issue was addressed through improved preferences cleanup.

 

WindowServer
Impact: An unprivileged application may be able to log keystrokes entered into other applications even when secure input mode is enabled
Description: By scanning key states, an unprivileged application could log keystrokes entered into other applications even when secure input mode was enabled. This issue was addressed by improved state management.

 

APFS
Impact: An APFS volume password may be unexpectedly truncated
Description: An injection issue was addressed through improved input validation.

 

Disk Management
Impact: An APFS volume password may be unexpectedly truncated
Description: An injection issue was addressed through improved input validation.

 

LinkPresentation
Impact: Processing a maliciously crafted text message may lead to UI spoofing
Description: A spoofing issue existed in the handling of URLs. This issue was addressed with improved input validation.

Apple addressed 5 security flaws in the Kernel, Intel and NVIDIA graphics drivers also received attention, and Mail received 2 fixes as well. On the APFS volume password issue, you may recall this article on the Mac Security Blog, where Intego pointed out an issue in which encrypted volume passwords were stored in logs in plaintext. This bug appears to have been fixed with macOS High Sierra 10.13.4. However, as Howard Oakley pointed out, passwords that were already stored in logs are still there! Check out his article for tips on what to do if you think this bug may have affected you.

macOS 10.13.4 is also the first update that can now be applied to all compatible and supported Apple systems. This means no more separate downloads are needed for iMac Pro users.

Also released were security updates for macOS 10.12 Sierra and OS X 10.11 El Capitan. In these security updates, Apple addressed 15 issues impacting the older operating systems.

For the full list of security bugs addressed by these updates, have a look here. For the complimentary list of components and macOS High Sierra 10.13.4, Security Update 2018-002 Sierra and Security Update 2018-002 El Capitan, you can download them from the App Store under the Updates tab. You can also download the updates from Apple’s website, here:

As always, when downloading software from any website, even a trusted one, make sure to verify the download before installing. Apple has guidelines on this that can be found here. All updates should include a firmware update, so you can expect your Mac to restart twice before the installation completes. Classic Mac Pro (pre-2013) users may have to run the Combo update for the firmware update to show. No details have been released about the firmware updates, but the common speculation is that it provides additional Meltdown/Spectre patches.

iOS 11.3

Available for iPhone 5s and later, iPad Air and later, and iPod touch 6th generation, the new iOS 11.3 fixes 44 security issues. iOS 11.3 also introduces new features, including:

  • iPhone Battery Health (Beta)
    – Displays information on iPhone maximum battery capacity and peak performance capability
    – Indicates if the performance management feature that dynamically manages maximum performance to prevent unexpected shutdowns is on and includes the option to disable it
    – Recommends if a battery needs to be replaced
  • Privacy
    – When an Apple feature asks to use your personal information, an icon now appears along with a link to detailed information explaining how your data will be used and protected
  • App Store- Adds ability to sort customer reviews on product pages by Most Helpful, Most Favorable, Most Critical, or Most Recent
    – Improves Updates tab information with app version and file size
  • Health Records (Beta) – US only- Access health records and view lab results, immunizations, and more in a consolidated timeline in the Health app

The full list of new features can be found here.

The security fixes contained in iOS 11.3 include:

Find My iPhone
Impact: A person with physical access to the device may be able to disable Find My iPhone without entering an iCloud password
Description: A state management issue existed when restoring from a back up. This issue was addressed through improved state checking during restore.

iCloud Drive
Impact: An application may be able to gain elevated privileges
Description: A race condition was addressed with additional validation.

Mail
Impact: An attacker in a privileged network position may be able to intercept the contents of S/MIME-encrypted e-mail
Description: An inconsistent user interface issue was addressed with improved state management.

Safari
Impact: Visiting a malicious website by clicking a link may lead to user interface spoofing
Description: An inconsistent user interface issue was addressed with improved state management.

Note that one of the bugs mentioned in the macOS list above was an issue with LinkPresentation; this was also fixed in iOS 11.3. Although Apple doesn’t mention QR codes, this is apparently Apple’s fix for the issue we wrote about recently, where scanning QR codes with Apple’s Camera app could display the incorrect URL rather than the actual URL to which you would be taken.

iOS 11.3 also addresses 3 Kernel issues, 2 Telephony bugs (one of which could cause an SMS to unexpectedly restart the phone), and many WebKit flaws.

The full list of security issues patched in iOS 11.3 can be found here. iOS 11.3 can be downloaded over the air by going to Settings > General > Software Update. You can also connect your iOS device to your Mac and let iTunes do the update for you.

watchOS 4.3

Available for all Apple Watch models, watchOS 4.3 contains new features, improvements and bug fixes. These include:

  • Control volume and playback on HomePod from your Apple Watch
  • Restores ability to control music on iPhone
  • Use any orientation for Nightstand charging mode
  • Siri watch face now shows progress towards closing Activity rings and when new songs are added to Apple Music mixes
  • Resolves an issue where Activity achievements were incorrectly awarded for some users
  • Fixes an issue where Siri music commands were not working for some audio devices

The security issues addressed are much the same as those patched in iOS 11.3. The full list of security issues addressed can be found here. watchOS 4.3 can be installed by connecting the watch to its charger, then on your iPhone open the Apple Watch app > My Watch tab > General > Software Update.

tvOS 11.3

Available for Apple TV 4K and Apple TV (4th generation), tvOS 11.3 includes new features and functionality:

  • Apple TV App: Now available in Brazil and Mexico.
  • Siri: Siri now understands Portuguese in Brazil.
  • Video playback: On Apple TV (4th generation), you can play videos in their original frame rate.

As with watchOS, the security issues addressed are much the same as those in iOS 11.3. The full list of security issues addressed can be found here. The tvOS update can be downloaded directly from the Apple TV by going to Settings > System > Update Software.

Safari 11.1

Included in macOS 10.13.4 and iOS 11, and also available for macOS 10.12.6 and 10.11.6, most of the changes found in the new Safari 11.1 are made under the hood. These include:

  • Updated Intelligent Tracking Prevention
    – Enhanced consistency of cross-site tracking protection behaviors.
  • Website Not Secure Warnings
    – Added display of “Website Not Secure” warnings when the user focus moves to a password or credit card form on an insecure page.
  • Removed Password AutoFill on Page Load
    Disabled AutoFill at page load to prevent sharing information without user consent.

The security release notes show that 23 issues were addressed in Safari 11.1, mostly in WebKit. Safari 11.1 is available through the App Store under the Updates tab.

Privacy Icons

Circling back to the mention of Privacy Icons in macOS 10.13.4 High Sierra, iOS 11 and also part of tvOS 11.3, what’s that all about? This is a new feature that draws your attention to Apple features that want to access your personal information, for instance, when that access is requested. You will see a welcome screen on your Mac, iOS device or Apple TV after installing the latest update, and it will explain why it’s there. On an iPhone it will look like this:

More privacy enhancements and changes are coming in response to the new privacy laws in Europe, such as the ability to download a copy of all the data Apple has on you and the ability to delete your account. With Facebook’s controversial handling of user data back in the news, this is a good time for Apple to roll out such features as it makes the company look very good in contrast.

About Jay Vrijenhoek

Jay Vrijenhoek is an IT consultant with a passion for Mac security research. View all posts by Jay Vrijenhoek →