Apple has released more details about its macOS High Sierra 10.13 Supplemental Update released on Thursday, advising it fixed two security issues relating to APFS volume encryption and a potential hack that could allow an attacker to extract a user's keychain passwords.
The first issue was reported to Apple by Matheus Mariano of Leet Tech, described as "A local attacker may gain access to an encrypted APFS volume." If a hint was set within Disk Utility during the creation of an APFS encrypted volume, it was noted that the password was stored as the hint.
Apple addressed this issue by clearing the hint storage if it was discovered the hint was the same as the password. Apple also claims to have improved "the logic for storing hints."
The other reportedly fixed security issue involved an application that had the ability to extract passwords from the keychain. Patrick Wardle of Synack discovered the vulnerability in late September, creating a concept app to demonstrate how the attack could work.
The concept app had the capability to pull website logins from the Keychain, so long as the user was logged in, with the vulnerability itself not requiring root access in order to be exploited, though still requiring users to run it while deliberately overriding macOS security settings and unsigned software warnings.
Video by Patrick Wardle demonstrating the Keychain vulnerability
According to Apple's description of the flaw, the method bypassed the keychain access prompt with a "synthetic click," and was addressed by "requiring the user password when prompting for keychain access."
The free Supplemental Update also includes a fix for a cursor graphic bug when using Adobe InDesign and resolved an issue where email messages couldn't be deleted from Yahoo accounts in Mail, as well as improving installer robustness.
Notably, the Supplemental Update did not include sufficient enough changes for Apple to issue it with a point-zero-one distinction. The company is still working on a macOS 10.13.1 update for High Sierra, with the first beta issued to developers last week.