Apple’s latest updates are out – APFS password leakage bug squashed

Apple delivered its latest batch of security updates for iOS and macOS this week.

On iDevices, the update was a full-on point release, bumping the iOS version from 11.3 to 11.3.1 and making it easy to check whether you’ve installed the update correctly: just go to SettingsGeneralSoftware Update and see what version number you’re currently on.

For Mac users, the patch is dubbed simply Security Update 2018-001, so your macOS version stays at 10.13.4 after you’ve installed it.

Safari was patched so it describes itself with the version string 11.1 (13605. after this update.

Note that if you’re still on El Capitan or Sierra (OS X 10.11.6 and macOS 10.12.6 respectively), where there isn’t a 2018-001 update, you’ll need to patch Safari separately; you’ll see version strings of 11605. or 12605. after updating.

Just two critical vulnerabilities were patched this time, both of them in the WebKit web rendering code in iOS and macOS.

These were remote code execution (RCE) bugs that could be triggered by web content, meaning that a crook could, in theory, feed you a booby-trapped web page from anywhere on the internet and thereby silently implant malware on your Mac or iPhone.

Both these bugs were responsibly disclosed by legitimate security researchers, so there is no reason to think that any cybercriminals had access to working exploits before the patches came out.

One software fix that we didn’t see mentioned in Apple’s official security advisory emails is an apparent patch for the APFS password bug that we wrote about recently.

If you remember that one, it involved your disk encryption password written in plaintext into the system log.

When you initialised a brand new encrypted APFS disk, for example when setting up a new USB drive for use with High Sierra, macOS wrote the details to the system log, but carefully omitted the password from the log data.

(Generally speaking, personally identifiable data should never be written out to log files, and passwords should never be written out anywhere at all.)

But if you reformatted an existing APFS disk, macOS followed a slightly different code path in which the command used to encrypt the reformatted volume was logged, recklessly including the password plaintext.

Anyway, the good news is that Apple seems to have fixed this bug quietly somewhere between macOS 10.13.4 and Security Update 2018-001 – we repeated the steps laid out in our recent article about the flaw but were unable to reproduce the bug this time.

Admittedly, this APFS password bug wasn’t critical, given that an attacker already needed access to your Mac to run the command to view your logs, but it was an embarrassing flaw for Apple, being the third password-related blunder reported since High Sierra came out.

What to do?

As always, patch early, patch often.

Remote code execution that can be triggered just by viewing a web page is a cybercrook’s dream.