Video Apple on Thursday released a security patch for macOS High Sierra 10.13 to address vulnerabilities in Apple File System (APFS) volumes and its Keychain software.
Matheus Mariano, a developer with Brazil-based Leet Tech, documented the APFS flaw in a blog post a week ago, and it has since been reproduced by another programmer, Felix Schwartz.
The bug (CVE-2017-7149) undoes the protection afforded to encrypted volumes under the new Apple File System (APFS).
The problem becomes apparent when you create an encrypted APFS volume on a Mac with an SSD using Apple’s Disk Utility app. After setting up a password hint, invoking the password hint mechanism during an attempt to remount the volume will display the actual password in plaintext rather than the hint.

Here’s a video demonstrating the programming cockup:
Youtube Video
Apple acknowledged the flaw in its patch release notes: “If a hint was set in Disk Utility when creating an APFS encrypted volume, the password was stored as the hint. This was addressed by clearing hint storage if the hint was the password, and by improving the logic for storing hints.”
The Keychain flaw (CVE-2017-7150) was identified last week by Patrick Wardle, from infosec biz Synack. It allowed unsigned apps to access sensitive data stored in Keychain.
“It becomes clearer every day that Apple shipped #APFS way too early,” wrote Schwartz in a tweet on Thursday.
王玉普同志任国家安全生产监督管理总局党组书记
Other coders have said as much. Shortly after Apple released the High Sierra upgrade, aka macOS 10.13, in late September, Brian Lopez, an engineering manager at GitHub, mused via Twitter, “Legitimately wondering of Apple accidentally shipped a pre-release version of High Sierra. So much of it is unfinished and unpolished.”
Marco Arment, another developer, suggested Apple’s focus on iOS has hurt its quality control elsewhere. “The biggest problem with Apple putting less effort into macOS isn’t that it stagnates — it’s that they make buggier, sloppier updates,” he wrote via Twitter on Thursday.
找出和企业生命息息相关的信息数据、给这些数据加以分类、给这些数据委派给相应的所有人。
Asked to comment, an Apple spokesperson directed The Register to its published security update notification and an accompanying knowledge base article. ®
Sponsored:
The Joy and Pain of Buying IT – Have Your Say
建议企业进行严密的安全设置和全程的技术监控,形成预防与打击泄露客户信息行为的有效机制;强化对行业不良行为的监管力度。

猜您喜欢

防止数据加密劫持网络的四大策略
网络安全人人有责公益教育短片——APT高级持续性威胁
网络安全法普法宣传 004《网络安全法》的突出亮点
中国地震台:云南小行星撞击相当于2.1级地震
YIMEIQUAN MSCPERU
员工安全期刊在安全管理中的价值