apple flaw
apple flaw

Apple issued a supplemental security update for macOS High Sierra 10.13 to patch two issues, one of which fixes a keychain password issue discovered last week.

The first vulnerability, CVE-2017-7149, is an issue in StorageKit that if exploited could allow a local attacker to gain access to an encrypted APFS file, while the second, CVE-2017-7150, is a security issue where a malicious application can extract keychain passwords.

Apple reported that if a user set a hint in Disk Utility when creating an APFS encrypted volume the password was stored in the hint, so the fix now clears hint storage if the hint was the password.

The second vulnerability allowed applications to bypass the keychain access prompt with a synthetic click and was fixed by now requiring the user password when prompting for keychain access. This problem was identified several days ago by Patrick Wardle, chief security researcher at Synack and founder of Objective-See.