Oh no, you're thinking, yet another cookie pop-up. Well, sorry, it's the law. We measure how many people read us, and ensure you see relevant ads, by storing cookies on your device. If you're cool with that, hit “Accept all Cookies”. For more info and to customize your settings, hit “Customize Settings”.

Review and manage your consent

Here's an overview of our use of cookies, similar technologies and how to manage them. You can also change your choices at any time, by hitting the “Your Consent Options” link on the site's footer.

Manage Cookie Preferences
  • These cookies are strictly necessary so that you can navigate the site as normal and use all features. Without these cookies we cannot provide you with the service that you expect.

  • These cookies are used to make advertising messages more relevant to you. They perform functions like preventing the same ad from continuously reappearing, ensuring that ads are properly displayed for advertisers, and in some cases selecting advertisements that are based on your interests.

  • These cookies collect information in aggregate form to help us understand how our websites are being used. They allow us to count visits and traffic sources so that we can measure and improve the performance of our sites. If people say no to these cookies, we do not know how many people have visited and we cannot monitor performance.

See also our Cookie policy and Privacy policy.

This article is more than 1 year old

Dumb bug of the week: Apple's macOS reveals your encrypted drive's password in the hint box

High Sierra update derided by devs as half-baked

Video Apple on Thursday released a security patch for macOS High Sierra 10.13 to address vulnerabilities in Apple File System (APFS) volumes and its Keychain software.

Matheus Mariano, a developer with Brazil-based Leet Tech, documented the APFS flaw in a blog post a week ago, and it has since been reproduced by another programmer, Felix Schwartz.

The bug (CVE-2017-7149) undoes the protection afforded to encrypted volumes under the new Apple File System (APFS).

The problem becomes apparent when you create an encrypted APFS volume on a Mac with an SSD using Apple's Disk Utility app. After setting up a password hint, invoking the password hint mechanism during an attempt to remount the volume will display the actual password in plaintext rather than the hint.

Here's a video demonstrating the programming cockup:

Youtube Video

Apple acknowledged the flaw in its patch release notes: "If a hint was set in Disk Utility when creating an APFS encrypted volume, the password was stored as the hint. This was addressed by clearing hint storage if the hint was the password, and by improving the logic for storing hints."

The Keychain flaw (CVE-2017-7150) was identified last week by Patrick Wardle, from infosec biz Synack. It allowed unsigned apps to access sensitive data stored in Keychain.

"It becomes clearer every day that Apple shipped #APFS way too early," wrote Schwartz in a tweet on Thursday.

Other coders have said as much. Shortly after Apple released the High Sierra upgrade, aka macOS 10.13, in late September, Brian Lopez, an engineering manager at GitHub, mused via Twitter, "Legitimately wondering of Apple accidentally shipped a pre-release version of High Sierra. So much of it is unfinished and unpolished."

Marco Arment, another developer, suggested Apple's focus on iOS has hurt its quality control elsewhere. "The biggest problem with Apple putting less effort into macOS isn't that it stagnates — it's that they make buggier, sloppier updates," he wrote via Twitter on Thursday.

Asked to comment, an Apple spokesperson directed The Register to its published security update notification and an accompanying knowledge base article. ®

Similar topics

TIP US OFF

Send us news


Other stories you might like