MacOS High Sierra 10.13.2 Update Released with Bug Fixes

macOS High Sierra 10.13.2

Apple has released macOS High Sierra 10.13.2 for the general public. The software update includes multiple bug fixes and is said to improve the stability, security, and compatibility of High Sierra, and is thus recommended for Mac users running High Sierra to update to.

Separately, MacOS Sierra and Mac OS X El Capitan users will find Security Update 2017-002 Sierra, and Security Update 2017-005 El Capitan available for their respective operating system releases. Those security updates are also recommended to install for Mac users running 10.12.6 and 10.11.6.

Specific issues mentioned in the release notes for MacOS High Sierra 10.13.2 include improvements for certain USB audio devices, VoiceOver Navigation for PDF files in Preview, and improving Braille displays with Mail app. Presumably the 10.13.2 final update also includes a permanent fix to the root login bug and networking bug that surfaced in prior versions of MacOS High Sierra.

How to Download and Update macOS High Sierra 10.13.2

Always back up a Mac before installing any system software update, the easiest way to do that is with Time Machine on a Mac.

  1. Pull down the  Apple menu and choose “App Store”
  2. Go to the “Updates” tab and choose to download and update “macOS 10.13.2 Update”

MacOS High Sierra 10.13.2 update

The High Sierra system software update is labeled with the update label “macOS 10.13.2 Update 10.13.2” in the Mac App Store.

Security Updates for macOS Sierra and Mac OS X El Capitan

Mac users running Sierra and El Capitan will instead find the “Security Update 2017-002 Sierra” and “Security Update 2017-005 El Capitan” available in the Updates section of the Mac App Store.

Though security updates are small, it’s still recommended to backup a Mac before installing them.

Security Update for macOS Sierra and El capitan

Mac users can also choose to download the macOS High Sierra Combo Update or regular update, as well as the individual security update packages, from here at Apple Support downloads. Using a Combo Update for updating Mac OS system software is easy but generally considered more advanced, and can be particularly beneficial for users installing the same update on multiple computers, or who are coming from an earlier version of the same system software release (i.e. 10.13.0 directly to 10.13.2).

MacOS High Sierra 10.13.2 Release Notes

Release notes accompanying the App Store download are brief, mentioning the following:

This update is recommended for all macOS High Sierra users.

The macOS High Sierra 10.13.2 Update improves the security, stability, and compatibility of your Mac, and is recommended for all users.

This update:

• Improves compatibility with certain third-party USB audio devices.

• Improves VoiceOver navigation when viewing PDF documents in Preview.

• Improves compatibility of Braille displays with Mail.

Enterprise content:

• Improves performance when using credentials stored in the keychain to access SharePoint websites that use NTLM authentication.

• Resolves an issue that prevented the Mac App Store and other processes invoked by Launch Daemons from working on networks that use proxy information defined in a PAC file.

• If you change your Active Directory user password outside of Users & Groups preferences, the new password can now be used to unlock your FileVault volume (previously, only the old password would unlock the volume).

• Improves compatibility with SMB home directories when the share point contains a dollar sign in its name.

Security Notes for macOS 10.13.2, Security Update 2017-002 Sierra, and Security Update 2017-005 El Capitan

Multiple security relates patches and bug fixes have also been included for the software updates, according to security notes from Apple:

macOS High Sierra 10.13.2, Security Update 2017-002 Sierra, and Security Update 2017-005 El Capitan

Released December 6, 2017

apache
Available for: macOS High Sierra 10.13.1, macOS Sierra 10.12.6, OS X El Capitan 10.11.6
Impact: Processing a maliciously crafted Apache configuration directive may result in the disclosure of process memory
Description: Multiple issues were addressed by updating to version 2.4.28.
CVE-2017-9798

curl
Available for: macOS High Sierra 10.13.1, macOS Sierra 10.12.6, OS X El Capitan 10.11.6
Impact: Malicious FTP servers may be able to cause the client to read out-of-bounds memory
Description: An out-of-bounds read issue existed in the FTP PWD response parsing. This issue was addressed with improved bounds checking.
CVE-2017-1000254: Max Dymond

Directory Utility
Available for: macOS High Sierra 10.13 and macOS High Sierra 10.13.1
Not impacted: macOS Sierra 10.12.6 and earlier 
Impact: An attacker may be able to bypass administrator authentication without supplying the administrator’s password
Description: A logic error existed in the validation of credentials. This was addressed with improved credential validation.
CVE-2017-13872

Intel Graphics Driver
Available for: macOS High Sierra 10.13.1
Impact: An application may be able to execute arbitrary code with kernel privileges
Description: A memory corruption issue was addressed with improved memory handling.
CVE-2017-13883: an anonymous researcher

Intel Graphics Driver
Available for: macOS High Sierra 10.13.1
Impact: A local user may be able to cause unexpected system termination or read kernel memory
Description: An out-of-bounds read issue existed that led to the disclosure of kernel memory. This was addressed through improved input validation.
CVE-2017-13878: Ian Beer of Google Project Zero

Intel Graphics Driver
Available for: macOS High Sierra 10.13.1
Impact: An application may be able to execute arbitrary code with system privileges
Description: An out-of-bounds read was addressed through improved bounds checking.
CVE-2017-13875: Ian Beer of Google Project Zero

IOAcceleratorFamily
Available for: macOS High Sierra 10.13.1, macOS Sierra 10.12.6, OS X El Capitan 10.11.6
Impact: An application may be able to execute arbitrary code with system privileges
Description: A memory corruption issue was addressed with improved memory handling.
CVE-2017-13844: found by IMF developed by HyungSeok Han (daramg.gift) of SoftSec, KAIST (softsec.kaist.ac.kr)

IOKit
Available for: macOS High Sierra 10.13.1
Impact: An application may be able to execute arbitrary code with system privileges
Description: An input validation issue existed in the kernel. This issue was addressed through improved input validation.
CVE-2017-13848: Alex Plaskett of MWR InfoSecurity
CVE-2017-13858: an anonymous researcher

IOKit
Available for: macOS High Sierra 10.13.1, macOS Sierra 10.12.6, OS X El Capitan 10.11.6
Impact: An application may be able to execute arbitrary code with system privileges
Description: Multiple memory corruption issues were addressed through improved state management.
CVE-2017-13847: Ian Beer of Google Project Zero

Kernel
Available for: macOS High Sierra 10.13.1, macOS Sierra 10.12.6, OS X El Capitan 10.11.6
Impact: An application may be able to execute arbitrary code with kernel privileges
Description: A memory corruption issue was addressed with improved memory handling.
CVE-2017-13862: Apple

Kernel
Available for: macOS High Sierra 10.13.1, macOS Sierra 10.12.6, OS X El Capitan 10.11.6
Impact: An application may be able to read restricted memory
Description: An out-of-bounds read was addressed with improved bounds checking.
CVE-2017-13833: Brandon Azad

Kernel
Available for: macOS High Sierra 10.13.1
Impact: An application may be able to execute arbitrary code with kernel privileges
Description: A memory corruption issue was addressed with improved memory handling.
CVE-2017-13876: Ian Beer of Google Project Zero

Kernel
Available for: macOS High Sierra 10.13.1, macOS Sierra 10.12.6, OS X El Capitan 10.11.6
Impact: An application may be able to read restricted memory
Description: A type confusion issue was addressed with improved memory handling.
CVE-2017-13855: Jann Horn of Google Project Zero

Kernel
Available for: macOS High Sierra 10.13.1, macOS Sierra 10.12.6, OS X El Capitan 10.11.6
Impact: A malicious application may be able to execute arbitrary code with kernel privileges
Description: A memory corruption issue was addressed with improved memory handling.
CVE-2017-13867: Ian Beer of Google Project Zero

Kernel
Available for: macOS High Sierra 10.13.1
Impact: An application may be able to read restricted memory
Description: A validation issue was addressed with improved input sanitization.
CVE-2017-13865: Ian Beer of Google Project Zero

Kernel
Available for: macOS High Sierra 10.13.1, macOS Sierra 10.12.6, OS X El Capitan 10.11.6
Impact: An application may be able to read restricted memory
Description: A validation issue was addressed with improved input sanitization.
CVE-2017-13868: Brandon Azad
CVE-2017-13869: Jann Horn of Google Project Zero

Mail
Available for: macOS High Sierra 10.13.1
Impact: A S/MIME encrypted email may be inadvertently sent unencrypted if the receiver’s S/MIME certificate is not installed
Description: An inconsistent user interface issue was addressed with improved state management.
CVE-2017-13871: an anonymous researcher

Mail Drafts
Available for: macOS High Sierra 10.13.1
Impact: An attacker with a privileged network position may be able to intercept mail
Description: An encryption issue existed with S/MIME credetials. The issue was addressed with additional checks and user control.
CVE-2017-13860: Michael Weishaar of INNEO Solutions GmbH

OpenSSL
Available for: macOS High Sierra 10.13.1, macOS Sierra 10.12.6, OS X El Capitan 10.11.6
Impact: An application may be able to read restricted memory
Description: An out-of-bounds read issue existed in X.509 IPAddressFamily parsing. This issue was addressed with improved bounds checking.
CVE-2017-3735: found by OSS-Fuzz

Screen Sharing Server
Available for: macOS High Sierra 10.13.1, macOS Sierra 10.12.6
Impact: A user with screen sharing access may be able to access any file readable by root
Description: A permissions issue existed in the handling of screen sharing sessions. This issue was addressed with improved permissions handling.
CVE-2017-13826: Trevor Jacques of Toronto

Separately, Apple Watch and Apple TV users will find watchOS 4.2 and tvOS 11.2 available as updates, and iPhone and iPad users can download iOS 11.2.

Leave a Reply