MacOS High Sierra 10.13.2 Update Released with Bug Fixes

macOS High Sierra 10.13.2

Apple has released macOS High Sierra 10.13.2 for the general public. The software update includes multiple bug fixes and is said to improve the stability, security, and compatibility of High Sierra, and is thus recommended for Mac users running High Sierra to update to.

Separately, MacOS Sierra and Mac OS X El Capitan users will find Security Update 2017-002 Sierra, and Security Update 2017-005 El Capitan available for their respective operating system releases. Those security updates are also recommended to install for Mac users running 10.12.6 and 10.11.6.

Specific issues mentioned in the release notes for MacOS High Sierra 10.13.2 include improvements for certain USB audio devices, VoiceOver Navigation for PDF files in Preview, and improving Braille displays with Mail app. Presumably the 10.13.2 final update also includes a permanent fix to the root login bug and networking bug that surfaced in prior versions of MacOS High Sierra.

How to Download and Update macOS High Sierra 10.13.2

Always back up a Mac before installing any system software update, the easiest way to do that is with Time Machine on a Mac.

  1. Pull down the  Apple menu and choose “App Store”
  2. Go to the “Updates” tab and choose to download and update “macOS 10.13.2 Update”

MacOS High Sierra 10.13.2 update

The High Sierra system software update is labeled with the update label “macOS 10.13.2 Update 10.13.2” in the Mac App Store.

Security Updates for macOS Sierra and Mac OS X El Capitan

Mac users running Sierra and El Capitan will instead find the “Security Update 2017-002 Sierra” and “Security Update 2017-005 El Capitan” available in the Updates section of the Mac App Store.

Though security updates are small, it’s still recommended to backup a Mac before installing them.

Security Update for macOS Sierra and El capitan

Mac users can also choose to download the macOS High Sierra Combo Update or regular update, as well as the individual security update packages, from here at Apple Support downloads. Using a Combo Update for updating Mac OS system software is easy but generally considered more advanced, and can be particularly beneficial for users installing the same update on multiple computers, or who are coming from an earlier version of the same system software release (i.e. 10.13.0 directly to 10.13.2).

MacOS High Sierra 10.13.2 Release Notes

Release notes accompanying the App Store download are brief, mentioning the following:

This update is recommended for all macOS High Sierra users.

The macOS High Sierra 10.13.2 Update improves the security, stability, and compatibility of your Mac, and is recommended for all users.

This update:

• Improves compatibility with certain third-party USB audio devices.

• Improves VoiceOver navigation when viewing PDF documents in Preview.

• Improves compatibility of Braille displays with Mail.

Enterprise content:

• Improves performance when using credentials stored in the keychain to access SharePoint websites that use NTLM authentication.

• Resolves an issue that prevented the Mac App Store and other processes invoked by Launch Daemons from working on networks that use proxy information defined in a PAC file.

• If you change your Active Directory user password outside of Users & Groups preferences, the new password can now be used to unlock your FileVault volume (previously, only the old password would unlock the volume).

• Improves compatibility with SMB home directories when the share point contains a dollar sign in its name.

Security Notes for macOS 10.13.2, Security Update 2017-002 Sierra, and Security Update 2017-005 El Capitan

Multiple security relates patches and bug fixes have also been included for the software updates, according to security notes from Apple:

macOS High Sierra 10.13.2, Security Update 2017-002 Sierra, and Security Update 2017-005 El Capitan

Released December 6, 2017

apache
Available for: macOS High Sierra 10.13.1, macOS Sierra 10.12.6, OS X El Capitan 10.11.6
Impact: Processing a maliciously crafted Apache configuration directive may result in the disclosure of process memory
Description: Multiple issues were addressed by updating to version 2.4.28.
CVE-2017-9798

curl
Available for: macOS High Sierra 10.13.1, macOS Sierra 10.12.6, OS X El Capitan 10.11.6
Impact: Malicious FTP servers may be able to cause the client to read out-of-bounds memory
Description: An out-of-bounds read issue existed in the FTP PWD response parsing. This issue was addressed with improved bounds checking.
CVE-2017-1000254: Max Dymond

Directory Utility
Available for: macOS High Sierra 10.13 and macOS High Sierra 10.13.1
Not impacted: macOS Sierra 10.12.6 and earlier 
Impact: An attacker may be able to bypass administrator authentication without supplying the administrator’s password
Description: A logic error existed in the validation of credentials. This was addressed with improved credential validation.
CVE-2017-13872

Intel Graphics Driver
Available for: macOS High Sierra 10.13.1
Impact: An application may be able to execute arbitrary code with kernel privileges
Description: A memory corruption issue was addressed with improved memory handling.
CVE-2017-13883: an anonymous researcher

Intel Graphics Driver
Available for: macOS High Sierra 10.13.1
Impact: A local user may be able to cause unexpected system termination or read kernel memory
Description: An out-of-bounds read issue existed that led to the disclosure of kernel memory. This was addressed through improved input validation.
CVE-2017-13878: Ian Beer of Google Project Zero

Intel Graphics Driver
Available for: macOS High Sierra 10.13.1
Impact: An application may be able to execute arbitrary code with system privileges
Description: An out-of-bounds read was addressed through improved bounds checking.
CVE-2017-13875: Ian Beer of Google Project Zero

IOAcceleratorFamily
Available for: macOS High Sierra 10.13.1, macOS Sierra 10.12.6, OS X El Capitan 10.11.6
Impact: An application may be able to execute arbitrary code with system privileges
Description: A memory corruption issue was addressed with improved memory handling.
CVE-2017-13844: found by IMF developed by HyungSeok Han (daramg.gift) of SoftSec, KAIST (softsec.kaist.ac.kr)

IOKit
Available for: macOS High Sierra 10.13.1
Impact: An application may be able to execute arbitrary code with system privileges
Description: An input validation issue existed in the kernel. This issue was addressed through improved input validation.
CVE-2017-13848: Alex Plaskett of MWR InfoSecurity
CVE-2017-13858: an anonymous researcher

IOKit
Available for: macOS High Sierra 10.13.1, macOS Sierra 10.12.6, OS X El Capitan 10.11.6
Impact: An application may be able to execute arbitrary code with system privileges
Description: Multiple memory corruption issues were addressed through improved state management.
CVE-2017-13847: Ian Beer of Google Project Zero

Kernel
Available for: macOS High Sierra 10.13.1, macOS Sierra 10.12.6, OS X El Capitan 10.11.6
Impact: An application may be able to execute arbitrary code with kernel privileges
Description: A memory corruption issue was addressed with improved memory handling.
CVE-2017-13862: Apple

Kernel
Available for: macOS High Sierra 10.13.1, macOS Sierra 10.12.6, OS X El Capitan 10.11.6
Impact: An application may be able to read restricted memory
Description: An out-of-bounds read was addressed with improved bounds checking.
CVE-2017-13833: Brandon Azad

Kernel
Available for: macOS High Sierra 10.13.1
Impact: An application may be able to execute arbitrary code with kernel privileges
Description: A memory corruption issue was addressed with improved memory handling.
CVE-2017-13876: Ian Beer of Google Project Zero

Kernel
Available for: macOS High Sierra 10.13.1, macOS Sierra 10.12.6, OS X El Capitan 10.11.6
Impact: An application may be able to read restricted memory
Description: A type confusion issue was addressed with improved memory handling.
CVE-2017-13855: Jann Horn of Google Project Zero

Kernel
Available for: macOS High Sierra 10.13.1, macOS Sierra 10.12.6, OS X El Capitan 10.11.6
Impact: A malicious application may be able to execute arbitrary code with kernel privileges
Description: A memory corruption issue was addressed with improved memory handling.
CVE-2017-13867: Ian Beer of Google Project Zero

Kernel
Available for: macOS High Sierra 10.13.1
Impact: An application may be able to read restricted memory
Description: A validation issue was addressed with improved input sanitization.
CVE-2017-13865: Ian Beer of Google Project Zero

Kernel
Available for: macOS High Sierra 10.13.1, macOS Sierra 10.12.6, OS X El Capitan 10.11.6
Impact: An application may be able to read restricted memory
Description: A validation issue was addressed with improved input sanitization.
CVE-2017-13868: Brandon Azad
CVE-2017-13869: Jann Horn of Google Project Zero

Mail
Available for: macOS High Sierra 10.13.1
Impact: A S/MIME encrypted email may be inadvertently sent unencrypted if the receiver’s S/MIME certificate is not installed
Description: An inconsistent user interface issue was addressed with improved state management.
CVE-2017-13871: an anonymous researcher

Mail Drafts
Available for: macOS High Sierra 10.13.1
Impact: An attacker with a privileged network position may be able to intercept mail
Description: An encryption issue existed with S/MIME credetials. The issue was addressed with additional checks and user control.
CVE-2017-13860: Michael Weishaar of INNEO Solutions GmbH

OpenSSL
Available for: macOS High Sierra 10.13.1, macOS Sierra 10.12.6, OS X El Capitan 10.11.6
Impact: An application may be able to read restricted memory
Description: An out-of-bounds read issue existed in X.509 IPAddressFamily parsing. This issue was addressed with improved bounds checking.
CVE-2017-3735: found by OSS-Fuzz

Screen Sharing Server
Available for: macOS High Sierra 10.13.1, macOS Sierra 10.12.6
Impact: A user with screen sharing access may be able to access any file readable by root
Description: A permissions issue existed in the handling of screen sharing sessions. This issue was addressed with improved permissions handling.
CVE-2017-13826: Trevor Jacques of Toronto

Separately, Apple Watch and Apple TV users will find watchOS 4.2 and tvOS 11.2 available as updates, and iPhone and iPad users can download iOS 11.2.

Apple High Sierra patch undone by macOS update

A critical patch for a vulnerability in Apple’s macOS High Sierra may not be properly applied if a user also updates the system software.

The vulnerability, which was made public on Nov. 28, could allow a malicious user to bypass authentication dialogs and even potentially acquire root system privileges. Apple released the High Sierra patch the following day, but users have reported the patch being undone depending on system updates that were applied.

According to many users on Twitter — and first reported by Wired — if the Apple system was running macOS 10.13.0 and not the newer 10.13.1 version, the High Sierra patch would be undone after the system update was applied. Additionally, reinstalling the High Sierra patch after the system update would require a reboot to properly apply the fix, but users were not getting the notification that a restart was necessary.

Apple has since updated its patch notes to include these issues: “If you recently updated from macOS High Sierra 10.13 to 10.13.1, reboot your Mac to make sure the Security Update is applied properly.”

MacLemon, a Mac sysadmin and independent security researcher, said the system update downgrading the High Sierra patch shouldn’t be surprising.

It’s part of Apple’s growing carelessness for the Mac in general.
MacLemonMac sysadmin and independent security researcher

“It’s mostly expected that an older update installed over a newer system downgrades components. The failure here is that Apple doesn’t show the Security Update 2017-001 again after reinstalling 10.13.1,” MacLemon told SearchSecurity via Twitter Direct Message. “It’s part of Apple’s growing carelessness for the Mac in general. Since they changed the development process to release on time instead of when done Mac OS X/OS X/macOS quality and stability has been in steady decline. Banana software shipped green that ripens at the customer.”

Because of the confusion surrounding the High Sierra patch and the macOS update, users may not know if the patch was applied properly and whether or not they are protected against the root password flaw, as Marc Rogers, head of SecOps for DefCon and head of infosec for Cloudflare, said on Twitter.

Experts suggested checking for software updates and ensuring systems have been rebooted.

Root passwords and the High Sierra patch

When the High Sierra root flaw was first announced, an early suggestion from experts was to create a password for the root user. However, MacLemon noted this could cause security issues as well.

Additionally, Adam Nichols, principal of software security at Grimm, said creating this password would not be a full fix anyway.

http://platform.twitter.com/widgets.js

Apple Was Quick to Fix macOS “Root” Issue

Apple has long been heralded as the champion of user security and product reliability, but this year has proved that the company may no longer be a leader of all things secure and reliable. From conforming to Chinese government’s demands to ban VPN apps to coming up with off-ish settings to releasing High Sierra with security bugs that enabled hackers to steal keychain contents to introducing buggy software to go along with its shiny new iPhone X – the reports this year have continued to show that quality assurance is no longer the same at the Cupertino HQ.

Last week, a security researcher revealed a massive security hole in Apple’s macOS High Sierra that allowed attackers to bypass login prompts by simply typing “root” as a username with no password. Apple was applauded by many for releasing a patch just 18 hours after the initial report went live on Twitter. However, subsequent reports revealed that the company actually knew about this flaw for over 2 weeks. However long it may have taken Apple to fix the security flaw, it appeared over the weekend that the patch actually wasn’t properly implemented and put a certain segment of users at risk.

Correct way to install Apple’s latest macOS security patch

Reports reveal that several Mac users who weren’t on the latest version of High Sierra – macOS 10.13.1 – but were on 10.13.0 and installed this security patch without first upgrading to the latest OS version, have spotted seeing this “root” issue reappearing when they install the latest macOS update. Apple had apparently assumed that Mac users would first upgrade to the new version before applying this security patch.

However, in all the social media outcry over this security issue, it makes sense that many were eager to install this security update before they could upgrade to the latest macOS version. In addition to this, Wired reports that at least two Mac users have confirmed that the root problem persists even if they go ahead to reinstall this security patch until they reboot their computer – something that Apple didn’t say was necessary. Here’s the correct order of upgrading and rebooting to fix the “root” problems.

Install macOS 10.13.1 > Install Security Patch > Reboot Mac

“I installed the update again from the App Store, and verified that I could still trigger the bug. That is bad, bad, bad,” Thomas Reed of MalwareBytes told Wired. “Anyone who hasn’t yet updated to 10.13.1, they’re now in the pipeline headed straight for this issue.” Apple has now updated its security page to clearly convey these requirements. The support page reads:

If you recently updated from macOS High Sierra 10.13 to 10.13.1, reboot your Mac to make sure the Security Update is applied properly.

This isn’t the first issue that the security patch brought as the initial version broke some file sharing functions on High Sierra. And security issues aren’t the only software problems that the company seems to be facing. After a frustrating keyboard bug that corrected “i” to “a” and a question mark, the company had to deal with a massive iPhone crashing disaster over the weekend. Apple had to deliver iOS 11.2 to fix this date bug, but the update while fixing the bug also broke Face ID for some users.

These two incidents are just the latest in a continued stream of software related issues coming from Apple. This new sloppy attitude that enables buggy iOS updates to get through the QA process, iPhones to start crashing on a certain date, and then patches that are unable to properly fix the problems and bring more issues with them – is not something that is typically associated with the iPhone maker. Which begs the question, what exactly is up with Apple?



Submit

iOS crashes and MacOS flaws? Here’s what to do

Apple logo

It’s been a rough week for some of Apple’s popular devices.


James Martin/CNET

If your iPhone began misbehaving Saturday, or if you’ve been worried about that “root” password vulnerability on the Mac, read on — here’s what you can do to get your devices running smoothly and safely.

A date-related flaw in iOS involving apps that send frequent reminders was reportedly causing iPhones and iPads to keep crashing as of the wee hours of Dec. 2. Apple, however, has a fix.

The company said in a support post that what you need to do if you’re affected by this bug is turn off notifications for all the apps on your gadget and then update your device to iOS 11.2. After you update, you can go in and turn notifications back on.

Apple released iOS 11.2 on Saturday. In addition to the bug fix and various other tweaks, the update introduces Apple Pay Cash in the US, which allows for quick person-to-person money transfers. The update also brings faster wireless charging to the iPhone 8, iPhone 8 Plus and iPhone X.

As for the “root” flaw on the Mac, that vulnerability surfaced Tuesday, and it meant strangers didn’t need a password to log in to your locked Apple device running on MacOS High Sierra — all they needed to do was type in the username “root” and leave the password field blank. Not exactly a secure setup.

Apple pushed out a fix the next day. But on Friday, Wired reported problems for Mac users who had downloaded the fix but hadn’t yet updated their computer from MacOS 10.13.0 to the most recent version of the operating system, 10.13.1. If those users went ahead and updated to 10.13.1, the “root” issue reappeared. And in some cases for those users, reinstalling the “root” fix after updating the OS did not fix the issue.

Again, though, there appears to be a simple fix. The specialists Wired spoke with said that updating to 10.13.1, then installing the “root” fix and then rebooting your Mac should take care of the issue. Seems like a bit of a no-brainer, right? Remember, though, that some folks don’t restart their machines all the time. If you’re one of those people, take heed.

Apple didn’t respond to a request for comment.

Does the Mac still matter? Apple execs explain why the MacBook Pro was over four years in the making, and why we should care.

Special Reports: CNET’s in-depth features in one place.

MacOS High Sierra 17B1003 Fixes File Sharing Bug from Security Update 2017-001

MacOS High Sierra 10.13.1 Supplemental security update 2017-001

A second small supplemental software update has been released for MacOS High Sierra users who installed the prior release of Security Update 2017-001 for High Sierra, which fixed the root login bug but then caused a problem with file sharing.

The new small software update, which apparently resolves the file sharing issue along with the root login bug, changes the build of macOS High Sierra to 17B1003. The new update should download and arrive automatically to impacted Macs running macOS High Sierra 10.13.1.


If the update doesn’t install manually, then you get the update yourself as well by using the command line softwareupdate utility, or by visiting the Mac App Store “Updates” tab where you might see another version of “Security Update 2017-001” available to download.

You can also check the build number of Mac OS by using the “About This Mac” screen and clicking on the “Version” text, or by turning to the command line and issuing the following syntax:

sw_vers -buildVersion

If the build reported is “17B1002” then you have not yet installed the new updated version of the Security Update, which should fix the file sharing bug.

If the build reported is “17B1003” then the new fixed version has been installed already.

Assuming the version you see is 17B1002, then you can manually initiate the software update through the command line, either by choosing it specifically, or by installing all available software updates for that Mac.

You can then blanket install all available software updates with the -ia flag, or you can specify the specific Security Update update only.

softwarewareupdate -ia

softwareupdate -i "Security Update 2017-001"

A special thanks to @gregneagle on Twitter for pointing this out and confirming that 17B1003 patches the file sharing issue with macOS High Sierra.

Direct Download Links for macOS High Sierra Supplemental Security Update 2017-001

Though not necessary for most people, MacOS High Sierra users can also choose to download the patches directly from Apple and install them from DMG files, for either 10.13 or 10.13.1:

MacOS 10.13.1 supplemental update

As always, it’s a good idea to backup a Mac before installing any software update.

http://platform.twitter.com/widgets.js