ESB-2017.2521 - [Mac] Apple StorageKit and Apple Security: Multiple vulnerabilities 2017-10-06

Printable version
PGP/GPG verifiable version

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2017.2521
     APPLE-SA-2017-10-05-1 macOS High Sierra 10.13 Supplemental Update
                              6 October 2017

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           Apple StorageKit
                   Apple Security
Publisher:         Apple
Operating System:  Mac OS High Sierra 10.13
Impact/Access:     Access Privileged Data -- Remote with User Interaction
                   Unauthorised Access    -- Existing Account            
Resolution:        Patch/Upgrade
CVE Names:         CVE-2017-7150 CVE-2017-7149 

Original Bulletin: 
   https://support.apple.com/kb/HT201222

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

APPLE-SA-2017-10-05-1 macOS High Sierra 10.13 Supplemental Update

macOS High Sierra 10.13 Supplemental Update is now available
and addresses the following:

StorageKit
Available for: macOS High Sierra 10.13
Impact: A local attacker may gain access to an encrypted APFS volume
Description: If a hint was set in Disk Utility when creating an APFS
encrypted volume, the password was stored as the hint. This was 
addressed by clearing hint storage if the hint was the password, and 
by improving the logic for storing hints.
CVE-2017-7149: Matheus Mariano of Leet Tech

Security
Available for: macOS High Sierra 10.13
Impact: A malicious application can extract keychain passwords
Description: A method existed for applications to bypass the
keychain access prompt with a synthetic click. This was addressed by
requiring the user password when prompting for keychain access.
CVE-2017-7150: Patrick Wardle of Synack

New downloads of macOS High Sierra 10.13 include the security
content of the macOS High Sierra 10.13 Supplemental Update.

Installation note:

macOS High Sierra 10.13 Supplemental Update may be obtained from the
Mac App Store or Apple's Software Downloads web site:
https://www.apple.com/support/downloads/

Information will also be posted to the Apple Security Updates
web site: https://support.apple.com/kb/HT201222

This message is signed with Apple's Product Security PGP key,
and details are available at:
https://www.apple.com/support/security/pgp/
- -----BEGIN PGP SIGNATURE-----
Comment: GPGTools - https://gpgtools.org

iQIcBAEBCgAGBQJZ1muIAAoJEIOj74w0bLRGK4YP/0po4Tefgarlu0uLyWAxst/6
KTtHK6sJs7wE0nsGJV1SUrKCLtuKo82mOkLJU5a7iS2qBcCLZVFr63HlG6nPDsJU
mTfEGcUoVJMLy8BvkHxuQKA9h/4dymZ+4irQZ6ZxUKWYSIBowf0p2oWmwjxKY3v1
BNRx7bLnJH3bOej2EZbwGUVUMVWxlnGTeHQwGNrSoHlWQayZy/S9mJQRFlG8UlrQ
C3EH8PxMNJKQuClP5WutREFzoY5uod4v24yFwlz1OdnyNhafprQnRUJaFlpiD0Fi
oVf4OnuPOxI1txZ+QIN3virg3/TI/uLKYFpVatrw/sBiFPPD1W3PSHTGF3LtXAVf
WFx7OQpAw/IFir2UZXMoOzMA7jrKgROn393/utbNVemoeUlr0SwG83zTsL/fmLGB
m0u2PhHgUvTkGmTrdf8DCr1RCs20Q1KahkScUT3iBFoEGP+Tqy1PTgXb+2KFGKL3
nA8r7fWu1aFRu/rLUPO+cs46Y1LSqxmgYlYE1B2W5mpO03EUyNzq3aoI68s97+UI
xka2V//xbhFTok4r08bLKK+KvNC2qan6MyMEqqp9PNsWOTtUoEw1EJTrQoQkMkjp
/qPFwGe6LDOtxWDB1LMC80Ruto3CiSbkmLN6D9XLYKQnbuJSQiioU/VWIG5EN+lC
+olewerlqcRryeVWc4IM
=Frfq
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBWdbyN4x+lLeg9Ub1AQjlpw/9EklmuAZtZHlKg3E4f3b87Laq4UfVjTDu
sYE0zbT/qYsy9Yxco16TEpcyQCSC2C126VQVuDJslB5ZQ43DkTxtZYnMlwiE3Dvn
/lxNG0xgOOG2UFr7w7h3AYqOoCaDk5NLo+qZsPNmEN1o/QQm2krsUPUjjHapbfek
Q+26KwC8wzq/WPaRgvmQ0fNxDwkV7s9goKODM5gjXd4tk7N6HyJOwp4QJKs1f/5R
0ztX5WuluSbjc4dz4MHOPoa8tDLqQn9aJYB7ZkGfk6Y6zhryV4SujKbLG3TtDbO1
fBABo+3FsLdf2Yqh/dBfdiSuU1I9Abb7ZcyGeFC2g+sX1loz8nCKp1eRpTB1etKR
u/A3mOpQnCafjUAloRIcDF5BkVaFIysjx4KGlKuqUt/JTmwJKeThn4IcvYvMRoeu
GXIj8qOuIoIt4v9FitUA4EMvfn/wtmGaa6GCqoBbsUrfqkVPjn9S7G+kohWqTP/f
pESYiSBBVVCpO154ERqgrY7xGBkiX+03GI0W9ReDp8uiIcPTOAWNU6M7ehHGBFJQ
PfNuxuoiJOlBozv/nVXDMe8f6wDopmJIH/QLLkg1E3YK6KxmwzX+eIRllHSO2YAR
EdOw6w5nL6oZkLzTyJiunwcv8f4HfbmVwc8P0UyxSX2jpOwiCto329Rqt8lXgb1M
/eyHaQhM+Jc=
=wc1m
-----END PGP SIGNATURE-----

« Back to bulletins