CYBER NEWS

Apple Patch Remedies Critical High Sierra Vulnerability (CVE-2017-7149)

Mac OS X High Sierra image

Apple released an emergency update that fixed a critical bug affecting the High Sierra operating system, specifically in the APFS volume management system. . According to security reports and the company a bug allowed the passwords to be revealed via the password hint feature.

Emergency Patch Fixes Apple’s High Sierra Password Bug (CVE-2017-7149)

The bug is tracked in the CVE-2017-7149 security advisory and features a severe vulnerability in the way the new APFS file system is implemented. The problem is found on the way the password hint is handled. Once it is configured by the user the password itself is stored as a plain text string.

The discovery was made by Matheus Mariano, a security researcher while he was interacting with a new encrypted volume in a APFS container. He opted to create a password together with the hint. When the new container was mounted and the password prompt activated, the password was revealed in the hint field. During the investigation it has been revealed that the issue affects only Mac computers and laptops equipped with SSD drives.

Related Story: Apple Macs Compromised by Rudimentary Mugthesec Adware

The released patch solves another issue with Apple’s operating system as well. Recently High Sierra was impacted by a vulnerability that allowed plaintext passwords to be dumped from the keychain. It is suspected that the problem also exists in previous versions like El Capitan and Sierra. The security researchers state that the showcased problems present a low barrier to entry once an intrusion point is detected in target machines.

The Mac OS X keychain is one of the most important security components in the operating system and is directly responsible for the authentication process. It provides an encrypted container that holds the system user account credentials, as well as passwords and strings used for applications and online services. Recent versions contain the ability to store sensitive data as well including: payment card data, banking PIN’s and other credentials.

Related Story: Less Malware for Windows, More for MacOS and Linux (Report 2016)

The accompanying keychain access component is the password management software that handles the keychain components by automating the credentials input. The description that accompanies the CVE-2017-7149 security advisory reads the following:

If a hint was set in Disk Utility when creating an APFS encrypted volume, the password was stored as the hint. This was addressed by clearing hint storage if the hint was the password, and by improving the logic for storing hints

It is recommended that all Mac OS X users apply the update immediately to protect themselves from abuse.

Avatar

Martin Beltov

Martin graduated with a degree in Publishing from Sofia University. As a cyber security enthusiast he enjoys writing about the latest threats and mechanisms of intrusion.

More Posts

Follow Me:
Twitter

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Loading...
Share on Twitter Tweet
Loading...
Share on Google Plus Share
Loading...
Share on Linkedin Share
Loading...
Share on Digg Share
Share on Reddit Share
Loading...
Share on Stumbleupon Share
Loading...