MacOS High Sierra 10.13.2 Update Released with Bug Fixes

macOS High Sierra 10.13.2

Apple has released macOS High Sierra 10.13.2 for the general public. The software update includes multiple bug fixes and is said to improve the stability, security, and compatibility of High Sierra, and is thus recommended for Mac users running High Sierra to update to.

Separately, MacOS Sierra and Mac OS X El Capitan users will find Security Update 2017-002 Sierra, and Security Update 2017-005 El Capitan available for their respective operating system releases. Those security updates are also recommended to install for Mac users running 10.12.6 and 10.11.6.

Specific issues mentioned in the release notes for MacOS High Sierra 10.13.2 include improvements for certain USB audio devices, VoiceOver Navigation for PDF files in Preview, and improving Braille displays with Mail app. Presumably the 10.13.2 final update also includes a permanent fix to the root login bug and networking bug that surfaced in prior versions of MacOS High Sierra.

How to Download and Update macOS High Sierra 10.13.2

Always back up a Mac before installing any system software update, the easiest way to do that is with Time Machine on a Mac.

  1. Pull down the  Apple menu and choose “App Store”
  2. Go to the “Updates” tab and choose to download and update “macOS 10.13.2 Update”

MacOS High Sierra 10.13.2 update

The High Sierra system software update is labeled with the update label “macOS 10.13.2 Update 10.13.2” in the Mac App Store.

Security Updates for macOS Sierra and Mac OS X El Capitan

Mac users running Sierra and El Capitan will instead find the “Security Update 2017-002 Sierra” and “Security Update 2017-005 El Capitan” available in the Updates section of the Mac App Store.

Though security updates are small, it’s still recommended to backup a Mac before installing them.

Security Update for macOS Sierra and El capitan

Mac users can also choose to download the macOS High Sierra Combo Update or regular update, as well as the individual security update packages, from here at Apple Support downloads. Using a Combo Update for updating Mac OS system software is easy but generally considered more advanced, and can be particularly beneficial for users installing the same update on multiple computers, or who are coming from an earlier version of the same system software release (i.e. 10.13.0 directly to 10.13.2).

MacOS High Sierra 10.13.2 Release Notes

Release notes accompanying the App Store download are brief, mentioning the following:

This update is recommended for all macOS High Sierra users.

The macOS High Sierra 10.13.2 Update improves the security, stability, and compatibility of your Mac, and is recommended for all users.

This update:

• Improves compatibility with certain third-party USB audio devices.

• Improves VoiceOver navigation when viewing PDF documents in Preview.

• Improves compatibility of Braille displays with Mail.

Enterprise content:

• Improves performance when using credentials stored in the keychain to access SharePoint websites that use NTLM authentication.

• Resolves an issue that prevented the Mac App Store and other processes invoked by Launch Daemons from working on networks that use proxy information defined in a PAC file.

• If you change your Active Directory user password outside of Users & Groups preferences, the new password can now be used to unlock your FileVault volume (previously, only the old password would unlock the volume).

• Improves compatibility with SMB home directories when the share point contains a dollar sign in its name.

Security Notes for macOS 10.13.2, Security Update 2017-002 Sierra, and Security Update 2017-005 El Capitan

Multiple security relates patches and bug fixes have also been included for the software updates, according to security notes from Apple:

macOS High Sierra 10.13.2, Security Update 2017-002 Sierra, and Security Update 2017-005 El Capitan

Released December 6, 2017

apache
Available for: macOS High Sierra 10.13.1, macOS Sierra 10.12.6, OS X El Capitan 10.11.6
Impact: Processing a maliciously crafted Apache configuration directive may result in the disclosure of process memory
Description: Multiple issues were addressed by updating to version 2.4.28.
CVE-2017-9798

curl
Available for: macOS High Sierra 10.13.1, macOS Sierra 10.12.6, OS X El Capitan 10.11.6
Impact: Malicious FTP servers may be able to cause the client to read out-of-bounds memory
Description: An out-of-bounds read issue existed in the FTP PWD response parsing. This issue was addressed with improved bounds checking.
CVE-2017-1000254: Max Dymond

Directory Utility
Available for: macOS High Sierra 10.13 and macOS High Sierra 10.13.1
Not impacted: macOS Sierra 10.12.6 and earlier 
Impact: An attacker may be able to bypass administrator authentication without supplying the administrator’s password
Description: A logic error existed in the validation of credentials. This was addressed with improved credential validation.
CVE-2017-13872

Intel Graphics Driver
Available for: macOS High Sierra 10.13.1
Impact: An application may be able to execute arbitrary code with kernel privileges
Description: A memory corruption issue was addressed with improved memory handling.
CVE-2017-13883: an anonymous researcher

Intel Graphics Driver
Available for: macOS High Sierra 10.13.1
Impact: A local user may be able to cause unexpected system termination or read kernel memory
Description: An out-of-bounds read issue existed that led to the disclosure of kernel memory. This was addressed through improved input validation.
CVE-2017-13878: Ian Beer of Google Project Zero

Intel Graphics Driver
Available for: macOS High Sierra 10.13.1
Impact: An application may be able to execute arbitrary code with system privileges
Description: An out-of-bounds read was addressed through improved bounds checking.
CVE-2017-13875: Ian Beer of Google Project Zero

IOAcceleratorFamily
Available for: macOS High Sierra 10.13.1, macOS Sierra 10.12.6, OS X El Capitan 10.11.6
Impact: An application may be able to execute arbitrary code with system privileges
Description: A memory corruption issue was addressed with improved memory handling.
CVE-2017-13844: found by IMF developed by HyungSeok Han (daramg.gift) of SoftSec, KAIST (softsec.kaist.ac.kr)

IOKit
Available for: macOS High Sierra 10.13.1
Impact: An application may be able to execute arbitrary code with system privileges
Description: An input validation issue existed in the kernel. This issue was addressed through improved input validation.
CVE-2017-13848: Alex Plaskett of MWR InfoSecurity
CVE-2017-13858: an anonymous researcher

IOKit
Available for: macOS High Sierra 10.13.1, macOS Sierra 10.12.6, OS X El Capitan 10.11.6
Impact: An application may be able to execute arbitrary code with system privileges
Description: Multiple memory corruption issues were addressed through improved state management.
CVE-2017-13847: Ian Beer of Google Project Zero

Kernel
Available for: macOS High Sierra 10.13.1, macOS Sierra 10.12.6, OS X El Capitan 10.11.6
Impact: An application may be able to execute arbitrary code with kernel privileges
Description: A memory corruption issue was addressed with improved memory handling.
CVE-2017-13862: Apple

Kernel
Available for: macOS High Sierra 10.13.1, macOS Sierra 10.12.6, OS X El Capitan 10.11.6
Impact: An application may be able to read restricted memory
Description: An out-of-bounds read was addressed with improved bounds checking.
CVE-2017-13833: Brandon Azad

Kernel
Available for: macOS High Sierra 10.13.1
Impact: An application may be able to execute arbitrary code with kernel privileges
Description: A memory corruption issue was addressed with improved memory handling.
CVE-2017-13876: Ian Beer of Google Project Zero

Kernel
Available for: macOS High Sierra 10.13.1, macOS Sierra 10.12.6, OS X El Capitan 10.11.6
Impact: An application may be able to read restricted memory
Description: A type confusion issue was addressed with improved memory handling.
CVE-2017-13855: Jann Horn of Google Project Zero

Kernel
Available for: macOS High Sierra 10.13.1, macOS Sierra 10.12.6, OS X El Capitan 10.11.6
Impact: A malicious application may be able to execute arbitrary code with kernel privileges
Description: A memory corruption issue was addressed with improved memory handling.
CVE-2017-13867: Ian Beer of Google Project Zero

Kernel
Available for: macOS High Sierra 10.13.1
Impact: An application may be able to read restricted memory
Description: A validation issue was addressed with improved input sanitization.
CVE-2017-13865: Ian Beer of Google Project Zero

Kernel
Available for: macOS High Sierra 10.13.1, macOS Sierra 10.12.6, OS X El Capitan 10.11.6
Impact: An application may be able to read restricted memory
Description: A validation issue was addressed with improved input sanitization.
CVE-2017-13868: Brandon Azad
CVE-2017-13869: Jann Horn of Google Project Zero

Mail
Available for: macOS High Sierra 10.13.1
Impact: A S/MIME encrypted email may be inadvertently sent unencrypted if the receiver’s S/MIME certificate is not installed
Description: An inconsistent user interface issue was addressed with improved state management.
CVE-2017-13871: an anonymous researcher

Mail Drafts
Available for: macOS High Sierra 10.13.1
Impact: An attacker with a privileged network position may be able to intercept mail
Description: An encryption issue existed with S/MIME credetials. The issue was addressed with additional checks and user control.
CVE-2017-13860: Michael Weishaar of INNEO Solutions GmbH

OpenSSL
Available for: macOS High Sierra 10.13.1, macOS Sierra 10.12.6, OS X El Capitan 10.11.6
Impact: An application may be able to read restricted memory
Description: An out-of-bounds read issue existed in X.509 IPAddressFamily parsing. This issue was addressed with improved bounds checking.
CVE-2017-3735: found by OSS-Fuzz

Screen Sharing Server
Available for: macOS High Sierra 10.13.1, macOS Sierra 10.12.6
Impact: A user with screen sharing access may be able to access any file readable by root
Description: A permissions issue existed in the handling of screen sharing sessions. This issue was addressed with improved permissions handling.
CVE-2017-13826: Trevor Jacques of Toronto

Separately, Apple Watch and Apple TV users will find watchOS 4.2 and tvOS 11.2 available as updates, and iPhone and iPad users can download iOS 11.2.

Apple High Sierra patch undone by macOS update

A critical patch for a vulnerability in Apple’s macOS High Sierra may not be properly applied if a user also updates the system software.

The vulnerability, which was made public on Nov. 28, could allow a malicious user to bypass authentication dialogs and even potentially acquire root system privileges. Apple released the High Sierra patch the following day, but users have reported the patch being undone depending on system updates that were applied.

According to many users on Twitter — and first reported by Wired — if the Apple system was running macOS 10.13.0 and not the newer 10.13.1 version, the High Sierra patch would be undone after the system update was applied. Additionally, reinstalling the High Sierra patch after the system update would require a reboot to properly apply the fix, but users were not getting the notification that a restart was necessary.

Apple has since updated its patch notes to include these issues: “If you recently updated from macOS High Sierra 10.13 to 10.13.1, reboot your Mac to make sure the Security Update is applied properly.”

MacLemon, a Mac sysadmin and independent security researcher, said the system update downgrading the High Sierra patch shouldn’t be surprising.

It’s part of Apple’s growing carelessness for the Mac in general.
MacLemonMac sysadmin and independent security researcher

“It’s mostly expected that an older update installed over a newer system downgrades components. The failure here is that Apple doesn’t show the Security Update 2017-001 again after reinstalling 10.13.1,” MacLemon told SearchSecurity via Twitter Direct Message. “It’s part of Apple’s growing carelessness for the Mac in general. Since they changed the development process to release on time instead of when done Mac OS X/OS X/macOS quality and stability has been in steady decline. Banana software shipped green that ripens at the customer.”

Because of the confusion surrounding the High Sierra patch and the macOS update, users may not know if the patch was applied properly and whether or not they are protected against the root password flaw, as Marc Rogers, head of SecOps for DefCon and head of infosec for Cloudflare, said on Twitter.

Experts suggested checking for software updates and ensuring systems have been rebooted.

Root passwords and the High Sierra patch

When the High Sierra root flaw was first announced, an early suggestion from experts was to create a password for the root user. However, MacLemon noted this could cause security issues as well.

Additionally, Adam Nichols, principal of software security at Grimm, said creating this password would not be a full fix anyway.

http://platform.twitter.com/widgets.js

MacOS High Sierra 17B1003 Fixes File Sharing Bug from Security Update 2017-001

MacOS High Sierra 10.13.1 Supplemental security update 2017-001

A second small supplemental software update has been released for MacOS High Sierra users who installed the prior release of Security Update 2017-001 for High Sierra, which fixed the root login bug but then caused a problem with file sharing.

The new small software update, which apparently resolves the file sharing issue along with the root login bug, changes the build of macOS High Sierra to 17B1003. The new update should download and arrive automatically to impacted Macs running macOS High Sierra 10.13.1.


If the update doesn’t install manually, then you get the update yourself as well by using the command line softwareupdate utility, or by visiting the Mac App Store “Updates” tab where you might see another version of “Security Update 2017-001” available to download.

You can also check the build number of Mac OS by using the “About This Mac” screen and clicking on the “Version” text, or by turning to the command line and issuing the following syntax:

sw_vers -buildVersion

If the build reported is “17B1002” then you have not yet installed the new updated version of the Security Update, which should fix the file sharing bug.

If the build reported is “17B1003” then the new fixed version has been installed already.

Assuming the version you see is 17B1002, then you can manually initiate the software update through the command line, either by choosing it specifically, or by installing all available software updates for that Mac.

You can then blanket install all available software updates with the -ia flag, or you can specify the specific Security Update update only.

softwarewareupdate -ia

softwareupdate -i "Security Update 2017-001"

A special thanks to @gregneagle on Twitter for pointing this out and confirming that 17B1003 patches the file sharing issue with macOS High Sierra.

Direct Download Links for macOS High Sierra Supplemental Security Update 2017-001

Though not necessary for most people, MacOS High Sierra users can also choose to download the patches directly from Apple and install them from DMG files, for either 10.13 or 10.13.1:

MacOS 10.13.1 supplemental update

As always, it’s a good idea to backup a Mac before installing any software update.

http://platform.twitter.com/widgets.js

Apple Shares Fix for File Sharing Issues Following macOS High Sierra Security Update

Apple this afternoon published a new support document that walks users through repairing their file sharing options on their Macs after installing the 2017-001 Security Update for macOS High Sierra 10.13.1, which was released this morning.



Shortly after the security fix was released and users began installing it, file sharing complaints began surfacing on the MacRumors forums. Affected users saw file sharing fail to authenticate across multiple Macs. From MacRumors reader joedec:

Immediately after installing this patch, file sharing fails to authenticate. I see this on multiple Macs. Hoping for some collaboration. […]

With the Finder open a file share to any Mac with the security update installed. Status shows “not connected”, when you try to “connect as” your username and password fail.

According to the document, macOS High Sierra users who cannot access file sharing after installing the security update will need to complete the following steps:

1. Open the Terminal app, which is in the Utilities folder of your Applications folder.

2. Type sudo /usr/libexec/configureLocalKDC and press Return.

3. Enter your administrator password and press Return.

4. Quit the Terminal app.

MacRumors readers who were having file sharing problems have tested Apple’s fix and have confirmed that it does indeed work to solve the problem.

Apple issued this morning’s security update to address a major vulnerability that enabled the root superuser on a Mac with a blank password and no security check.

The problem has been successfully fixed on machines running macOS High Sierra 10.13.1, the current release version of macOS High Sierra, but Apple has not yet addressed the vulnerability in macOS High Sierra 10.13.2, available to both developers and public beta testers.