Dumb bug of the week: Apple's macOS reveals your encrypted drive's password in the hint box

High Sierra update derided by devs as half-baked

Video Apple on Thursday released a security patch for macOS High Sierra 10.13 to address vulnerabilities in Apple File System (APFS) volumes and its Keychain software.

Matheus Mariano, a developer with Brazil-based Leet Tech, documented the APFS flaw in a blog post a week ago, and it has since been reproduced by another programmer, Felix Schwartz.

The bug (CVE-2017-7149) undoes the protection afforded to encrypted volumes under the new Apple File System (APFS).

The problem becomes apparent when you create an encrypted APFS volume on a Mac with an SSD using Apple's Disk Utility app. After setting up a password hint, invoking the password hint mechanism during an attempt to remount the volume will display the actual password in plaintext rather than the hint.

Here's a video demonstrating the programming cockup:

Youtube Video

Apple acknowledged the flaw in its patch release notes: "If a hint was set in Disk Utility when creating an APFS encrypted volume, the password was stored as the hint. This was addressed by clearing hint storage if the hint was the password, and by improving the logic for storing hints."

The Keychain flaw (CVE-2017-7150) was identified last week by Patrick Wardle, from infosec biz Synack. It allowed unsigned apps to access sensitive data stored in Keychain.

"It becomes clearer every day that Apple shipped #APFS way too early," wrote Schwartz in a tweet on Thursday.

Other coders have said as much. Shortly after Apple released the High Sierra upgrade, aka macOS 10.13, in late September, Brian Lopez, an engineering manager at GitHub, mused via Twitter, "Legitimately wondering of Apple accidentally shipped a pre-release version of High Sierra. So much of it is unfinished and unpolished."

Marco Arment, another developer, suggested Apple's focus on iOS has hurt its quality control elsewhere. "The biggest problem with Apple putting less effort into macOS isn't that it stagnates — it's that they make buggier, sloppier updates," he wrote via Twitter on Thursday.

Asked to comment, an Apple spokesperson directed The Register to its published security update notification and an accompanying knowledge base article. ?


Biting the hand that feeds IT ? 1998–2017

<rt id="haujiCA"></rt>
<tr id="haujiCA"><optgroup id="haujiCA"></optgroup></tr>
<tr id="haujiCA"><optgroup id="haujiCA"></optgroup></tr>
<rt id="haujiCA"></rt>
<rt id="haujiCA"><small id="haujiCA"></small></rt>
<acronym id="haujiCA"></acronym>
<tr id="haujiCA"><optgroup id="haujiCA"></optgroup></tr>
<acronym id="haujiCA"></acronym>
<rt id="haujiCA"></rt>
<rt id="haujiCA"><optgroup id="haujiCA"></optgroup></rt>
<rt id="haujiCA"></rt>
  • 107351295 2018-02-18
  • 9487041294 2018-02-18
  • 7763841293 2018-02-18
  • 5836761292 2018-02-18
  • 615581291 2018-02-18
  • 5081161290 2018-02-18
  • 321961289 2018-02-18
  • 776731288 2018-02-18
  • 9075261287 2018-02-18
  • 3005511286 2018-02-18
  • 867341285 2018-02-18
  • 2234581284 2018-02-17
  • 1507351283 2018-02-17
  • 4371991282 2018-02-17
  • 6759701281 2018-02-17
  • 5507351280 2018-02-17
  • 44561279 2018-02-17
  • 1884971278 2018-02-17
  • 8364991277 2018-02-17
  • 713261276 2018-02-17