Developers Discovered New Exploit In macOS High Sierra, Soon Enough Apple Released Supplemental Update To Fixed Bugs

Brazilian developer Matheus Mariano appears to have discovered a pretty serious security vulnerability in macOS High Sierra which exposes passwords of any encrypted APFS volumes in plain text. In his Medium post, mounting a previously created encrypted APFS volume in Disk utility and clicking the Show Hint button reveals the password in plain text.

The issue currently only affects Macs with SSD storage due to Apple File System compatibility, but APFS will eventually support machines with Fusion Drives as well. Schwarz believes users who haven't specified a password hint, or haven't used Disk Utility whatsoever, are probably not affected. “I do not recommend you to update before Apple solve this problem,” Matheus said.

Mariano said he has reported the vulnerability to Apple. The company did not immediately respond to our request for a comment on the matter, but instead the Cupertino firm released Supplementary Update for macOS High Sierra with various bug fixes, perhaps they fixed APFS Disk Utility Bug and Keychain Vulnerability

In addition, Apple released a support document alongside the Supplemental Update that walks user to aware if macOS High Sierra is showing a password instead of a password hint on an encrypted APFS volume. These Steps include installing the update, creating an encrypted backup of data for the affected volume, erasing the drive, reformatting to APFS, etc.

Last not least, according to the release notes, the update also improve installer robustness, fixes a cursor graphic bug in Adobe InDesign, and resolves an issue where messages couldn't be deleted from Yahoo accounts in Mail. MacOS High Sierra can be downloaded using the Software Update function in the Mac App Store.

Via MacRumors And 9to5Mac, Image Credit AppleInsider And 9to5Mac