Apple released macOS High Sierra 10.13 Supplemental Update on Thursday. The update fixes two important security flaws, one of which was just recently publicized. It also addresses three relatively minor bugs in macOS High Sierra.
Apple’s patch notes for macOS High Sierra 10.13 Supplemental Update
This supplemental update includes improvements to the the stability, reliability and security of your Mac, and is recommended for all macOS High Sierra users. This update:
- Improves installer robustness
- Fixes a cursor graphic bug when using Adobe InDesign
- Resolves an issue where email messages couldn’t be deleted from Yahoo accounts in Mail
Security patch notes for macOS High Sierra 10.13 Supplemental Update
StorageKit
Available for: macOS High Sierra 10.13
Impact: A local attacker may gain access to an encrypted APFS volume
Description: If a hint was set in Disk Utility when creating an APFS encrypted volume, the password was stored as the hint. This was addressed by clearing hint storage if the hint was the password, and by improving the logic for storing hints.
CVE-2017-7149: Matheus Mariano of Leet TechSecurity
Available for: macOS High Sierra 10.13
Impact: A malicious application can extract keychain passwords
Description: A method existed for applications to bypass the keychain access prompt with a synthetic click. This was addressed by requiring the user password when prompting for keychain access.
CVE-2017-7150:Patrick Wardle of SynackNew downloads of macOS High Sierra 10.13 include the security content of the macOS High Sierra 10.13 Supplemental Update.
The update is a 923.4MB download at the link above for the standalone installer. As of this writing, I’m not seeing the update in Software Update, but it will likely appear later in the day.
Bryan:
I Agree with John K that this was a serious update, at least on my 2012 MBP Retina core i7.
One observation: never attempt a software update if your system has not completed hard disk encryption. This was an unintended complication. I had assumed that my hard drive had completed encrypting after doing the original High Sierra instal (actually I had forgot about it because it had started more than 24 hours before and I forgot how long these can take), went for the update and got a notice that the installation of the update could not be completed until after the disk completed encryption. The fun part was that I could not quit the installer and get back to my user account. The merriment swelled into chuckles when I estimated that based on the rate of progress, my disk would not finish encrypting for another two days, so I was confined to working only in Safe Mode if I wanted to use my laptop. So much fun, I’m sure that all my revels were now envied.
Once this was completed, I could not simply restart and continue the update, but had to go into Recovery Mode to reinstall the update, but all went well, if not slowly, thereafter.
This is another reason why I’m never without my iPad Pro – for me a staple productivity tool, especially now with iOS 11.
This ‘update’ was a more intense install than 10.13 itself for me on my 2010 and 2016 machines. Seems fine, but man that was a serious update.