Apple has released a supplemental update to macOS High Sierra 10.13 to address a software vulnerability in Disk Utility tool that was revealing the passwords of encrypted Apple File System (APFS) volumes in plain text. It also addresses a vulnerability in Keychain security mechanism.
Matheus Mariano, a Brazil based software developer recently discovered and demonstrated a bug in Disk Utility tool that exposed the passwords of encrypted Apple File System volumes. After a user would unmount and remount a newly created encrypted APFS volume, the "Show Hint" button would reveal the password instead of password hint, Mariano explained.
The supplemental update to macOS High Sierra 10.13, which was released to public last month, addresses that bug. Additionally Apple also released a support document alongside the new software update to guide users how they could protect their data if the aforementioned vulnerability affected them.
In a separate support document, Apple said the supplemental update will also fix a vulnerability that could let a hacker bypass the Keychain's security mechanism using a third-party application to steal usernames and passwords. This vulnerability was first highlighted by ex-NSA analyst Partrick Wardle.
According to Apple, the update also fixes a cursor graphic bug in Adobe InDesign, and resolves an issue where messages couldn't be deleted from Yahoo accounts in Mail. The update also improves installer robustness.
macOS High Sierra, which Apple first unveiled at WWDC developer conference earlier this year, offers a modern file system APFS, Metal 2 graphics improvements, new capabilities in Safari, and improvements to company's own apps such as Notes, Mail and Photos. It's a free upgrade over macOS Sierra that Apple released last year.