Apple a publicat recent un update suplimentar (Supplemental Update) foarte important pentru toti utilizatorii de Mac, care au instalat macOS High Sierra 10.13.
Σε macOS High Sierra 10.13 Supplemental Update επίλυση ορισμένων δυσλειτουργίες για το Adobe InDesign και ένα bug που δεν επέτρεπε stergerea mesajelor primite in aplicatia Mail de pe conturi de Yahoo!.
Το πιο σοβαρό μέρος της αυτή η πρόσθετη ενημέρωση σχετίζεται με δύο ζητήματα ασφαλείας, ce au venit “la pachet” cu noul sistem de operare High Sierra.
Vulnerabilitate parola criptare pentru APFS (Encrypted) – Disk Utility Bug
Ένα bug στην εφαρμογή Βοηθητικό πρόγραμμα δίσκου που κάνει ορατό τον κωδικό πρόσβασης για τόμων δίσκου μορφοποιημένη APFS κρυπτογραφημένα.
Pe scurt, atunci cand introducem parola de criptate pentru un volum, aceasta este ceruta de doua ori, pentru a fi siguri ca nu am tastat-o gresit prima data. Apoi avem sa ne alegem un “υπόδειξη” (un cuvant sau o fraza) ca indiciu pentru parola. Bug-ul din Βοηθητικό πρόγραμμα δίσκου, face ca parola sa fie vizibila in locul cuvantului sau frazei de la “hint”. In acest fel, este expusa oricarei persoane care are acces la Mac.
In video postat pe Twitter se vede exact cum se poate afla parola unui volum criptat APFS, cu ajutorul Disk Utility.
Would be interesting why Apple recommends erasing when diskutil can clear hints:
diskutil apfs setPassphraseHint [diskXsX] -user disk -clear pic.Twitter.com/0khrm8aTq9— Felix Schwarz (@felix_schwarz) 5 Οκτωβρίου 2017
Vulnerabilitate Keychain Access – bypass user password
In mod normal si obligatoriu, cand accesam λογαριασμού και έναν κωδικό πρόσβασης που αποθηκεύονται σε μπρελόκ, ne este ceruta κωδικό πρόσβασης του χρήστη Mac. Printr-o vulnerabilitate a MacOS υψηλής Sierra, o aplicatie rau-intentionata poate ανάκτηση αποθηκευμένων κωδικών πρόσβασης στο Keychain Access, sarind peste parola de user Mac prin intermediul unui click sintetic. Fals / simulat.
Released October 5, 2017
StorageKit
Available for: macOS High Sierra 10.13
Impact: A local attacker may gain access to an encrypted APFS volume
Description: If a hint was set in Disk Utility when creating an APFS encrypted volume, the password was stored as the hint. This was addressed by clearing hint storage if the hint was the password, and by improving the logic for storing hints.
CVE-2017-7149: Matheus Mariano of Leet Tech
Ασφάλεια
Available for: macOS High Sierra 10.13
Impact: A malicious application can extract keychain passwords
Description: A method existed for applications to bypass the keychain access prompt with a synthetic click. This was addressed by requiring the user password when prompting for keychain access.
CVE-2017-7150: Patrick Wardle of Synack
New downloads of macOS High Sierra 10.13 include the security content of the macOS High Sierra 10.13 Supplemental Update.
Asadar, daca aveti macOS High Sierra 10.13, este foarte recomandat sa faceti update-ul suplimentar. Acesta este disponibil via Mac App Store, in tab-ul “Ενημερώσεις“(si nu va schimba numarul versiunii). Apple a publicat deja macOS High Sierra 10.13.1 pentru developerii ce au device-urile in Apple Beta Software Program.
1 Σκέφτηκα "Ζητήματα ασφαλείας κρυπτογραφημένα και πρόσβαση στο μπρελόκ, επιλύθηκε με MacOS High Sierra 10.13 Συμπληρωματική ενημέρωση«