The vulnerability in the Apple file system tracked as CVE-2017-7149 could be exploited by a local attacker to gain access to an encrypted APFS volume.
“If a hint was set in Disk Utility when creating an APFS encrypted volume, the password was stored as the hint. This was addressed by clearing hint storage if the hint was the password, and by improving the logic for storing hints.” reads the description provided by Apple on its support website.
When users create an encrypted APFS volume on a Mac with an SSD using Apple’s Disk Utility app and set up a password hint, invoking the password hint mechanism while remounting the volume will display the current password in plaintext.
Here’s a video demonstrating the programming cockup:
Another flaw fixed by Apple tracked as CVE-2017-7150 affects the Keychain and was discovered by the popular expert Patrick Wardle. Wardle revealed that unsigned applications can steal macOS Keychain passwords from the latest version of macOS High Sierra and previous versions of macOS.
Many developers questioned the quality of macOS High Sierra 10.13 released at the end of September.
Legitimately wondering of Apple accidentally shipped a pre-release version of High Sierra. So much of it is unfinished and unpolished.
Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer.
Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US.
Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines.
Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.