Apple has released a fix for its two-week-old macOS High Sierra operating system that could have allowed anyone to gain access to encrypted hard disk volumes.
The issue meant that when a user requested a password hint for certain encrypted volumes the operating system instead displayed the entire password.
The issue was caused by a problem with macOS’ Disk Utility that meant that if a password hint was set when creating an APFS encrypted volume, the utility mistakenly stored the password as the hint, Apple said.
The macOS High Sierra 10.13 Supplemental Update, published only days after the operating system version’s initial release on 25 September, fixes the issue by clearing passwords that were stored as hints and addressing the logic issue that caused the problem, according to Apple.
Only APFS encrypted volumes created using Disk Utility are affected.
But changing the passwords of affected volumes isn’t enough, according to Apple.
“Changing the password on an affected volume clears the hint but doesn’t affect the underlying encryption keys that protect the data,” it said in a support document.
As a result the company advised users to back up the data on affected volumes, then erase and restore them. It provided instructions for doing so in the support document.
In addition to applying the update and restoring the exposed volumes Apple said if the exposed passwords were used on other services they should be changed on those sites.
The issue was reported to Apple by Brazilian developer Matheus Mariano, who produced an online video demonstrating how easy it was to exploit the flaw.
“I do not recommend you to update (to macOS High Sierra) before Apple solves this problem,” Mariano wrote.
Security researcher Graham Cluley praised Apple for producing its patch quickly, but said the problem raised questions about Apple’s security processes.
“Its responsiveness in addressing this issue should be applauded,” Cluley wrote in a research note. “However, that doesn’t change the fact that such a serious bug like this really should have been intercepted during its quality control process, rather than allowed to ship to millions of computers around the world.”
The update also addressed a flaw that could have allowed attackers to bypass the prompt macOS requires users to click on to gain access to stored passwords.
Do you know all about security in 2017? Try our quiz!
Legal headache deepens for TikTok in US, after a number of states file lawsuits alleging…
After HBO documentary names Canadian crypto expert Peter Todd as Bitcoin inventor – but he…
Supreme Court clears X to resume access in Brazil, after high profile clash between top…
US Department of Justice mulls asking judge to force Google to sell parts of its…
US Supreme Court declines to hear appeal from X, formerly Twitter, over nondisclosure order attached…
US federal judge orders Google to undertake wide range of measures allowing third-party app stores…