Mac owners who have updated their machines to macOS High Sierra may want to update again. Apple has released an emergency update to fix a security flaw in the recent operating system that displays a user’s password in plaintext.
The update was made available for free from Apple and is labeled as macOS High Sierra 10.13. The update comes just over one week after the public release of the latest version of macOS was made available.
The update to version 10.13 of macOS High Sierra patches a potentially damaging security flaw found in Apple’s Disk Utility tool that would have allowed anyone to gain access to encrypted Apple File System (APFS) volumes.
Prior to the update when a user would attempt to perform an action that requires administrative access, they would be prompted with a login screen. Under the form for the password, there is a “Show Hint” button that is intended to display a reminder that would help the user remember their password.
Instead, clicking the “Show Hint” button would result in the user’s password being displayed in full and in plaintext with no protection. The flaw would allow anyone to instantly gain administrative access to the device, allowing them to do considerable damage to any information stored on the device.
Apple acknowledged the flaw, which was first discovered by Brazilian developer Matheus Mariano, in a support article. “Your password might be displayed instead of your password hint if you used the Add APFS Volume command in Disk Utility to create an encrypted APFS volume, and you supplied a password hint,” the company wrote.
Apple noted that a user can change their password, which will clear the hint without affecting the underlying encryption keys that protect the data but advised instead that users download the latest update to macOS in order to secure their devices.
In addition to installing the supplemental update, Apple also recommended that users create an encrypted backup of the data affected by the password flaw, the erase the volume. Users should then create a new volume—which they will have to name—and enter a new password for it before restoring the backup of the volume.
The update to High Sierra 10.13 also fixes another security flaw that would have allowed hackers to steal usernames and passwords stored in the user’s Keychain. That flaw could be exploited by malicious third-party apps that have access to plaintext Keychain data.
To download the latest version of macOS, open the Mac App Store either by going to the application through the Launchpad or by clicking on the “App Store” option in the drop down menu found when you click on the Apple icon.
Click on the Updates menu found on the far right of the icons on the top menu of the App Store. The system should recognize an available update for macOS High Sierra. Version 10.13 contains the security fix. Click the update button and allow the App Store to download the update, then install it.