
About the security content of macOS High Sierra 10.13.2 - firloop
https://support.apple.com/en-us/HT208331
======
kiddico
I find it interesting how many of those are attributed to project zero members

~~~
arubberduck
Google has long been Apple's security division. Often I wonder if Apple has
any security people at all. The last Safari update had 11 CVEs from Google.
Most of Apple's updates credit one or more issues to Google, and often Apple
credits OSS-Fuzz, which is also a Google project.

~~~
sigmar
>Often I wonder if Apple has any security people at all.

It just feels like they don't since they don't let their security people have
social media presences. For example, their recent hire Jonathan Zdziarski

~~~
saagarjha
It looks like you were cut off there…

~~~
NamTaf
No, reread it as "For example, [consider] their recent hire Jonathan
Zdziarski[, whom you'll see is a leading iOS security researcher from a
cursory Google search]"

The GP just omitted a bunch of implied statement, which isn't immediately
obvious especially if you don't natively speak English.

~~~
giancarlostoro
He forgot a period at the end, so it does look like he got cut off
potentially.

------
reacharavindh
Just let my Mac take in this update, now sitting in front of it watching it
say

“About 3 minutes remaining”

And then jump to

“About 29 minutes remaining” :-( The price I pay for being dumb to let it
update during the work day. OSX is starting to feel more like the old
Windows....

~~~
misterdata
And what time did it actually take in the end?

~~~
ungzd
For me, about a hour and 2 (or 3?) reboots. And this is minor version update
that consists only in bugfixes. I don't understand why overwritting few
megabytes of files takes so long time and requires multiple reboots.

------
nikanj
From a cursory glimpse, it seems Apple only pathes CVEs in OSS components when
the OS itself gets an upgrade.

The next time there is a problem in Apache, the chances seem pretty high it
will remain unpatched on macOS for weeks, if not months.

~~~
simlevesque
Why does macOS ship with Apache ?

~~~
tjohns
Before Mountain Lion, a personal web server was available under System
Preferences > Sharing > Web Sharing.

They removed the UI to enable it in Mountain Lion, but the functionality is
still built in and can be enabled if you install Apple's MacOS Server app from
the app store. Or you can just enable it from the command line.

~~~
amatecha
heh, remember when you could actually host your own website from your home
connection on port 80? Dynamic DNS services, etc... ISPs put a quick end to
that, though :(

~~~
rodgerd
I... still do?

This is more about ISPs where you live than anything else. Most people don't
want the hassle.

~~~
amatecha
Yeah, guess it varies, but a lot of ISPs block incoming port 80 connections.
Common enough that noip.com has a "port redirection" feature, interestingly
enough: [http://www.noip.com/support/knowledgebase/my-isp-blocks-
port...](http://www.noip.com/support/knowledgebase/my-isp-blocks-port-80-what-
can-i-do/)

------
jason_slack
I was hoping this would fix my "Month 13 is out of bounds" error. It doesn't I
still have apps I cannot run now because of this. Looks like it is time to
back everything up and wipe my disk back to 10.13 with no other updates.

~~~
p49k
Wow, thanks for mentioning this. My Mac has been freezing when opening tons of
apps lately, making it basically useless, and I couldn’t figure out what was
wrong until I checked this. I never would have guessed it was a core OS issue.
What a ridiculous bug to not patch immediately.

Apparently you can at least mitigate it partly by disabling ReportCrash.

~~~
jason_slack
Can you share how to do this? Anything I can try to be able to launch some of
my critical apps might help.

Edit: for those who are curious: [https://www.gregoryvarghese.com/reportcrash-
high-cpu-disable...](https://www.gregoryvarghese.com/reportcrash-high-cpu-
disable-reportcrash/)

------
sccxy
How to update when App Store is not working?

> The operation couldn’t be completed. (NSURLErrorDomain error -1012.)

Same error is shown on terminal too.

~~~
jchb
Do you have any antivirus or (shady) anti-malware software installed? Not
necessarily the problem, but it wouldn't be the first time..

~~~
sccxy
No. Last successful update was just before this root bug.

------
pjmlp
Maybe Apple should hire a few more of those mythical C developers that never
make mistakes.

3 x out of bounds errors

6 x memory corruption issues

------
numerlo
People are reporting problems on Reddit
[https://www.reddit.com/r/apple/comments/7hzy3a/macos_10132_u...](https://www.reddit.com/r/apple/comments/7hzy3a/macos_10132_update_combo_10132_released/)
with the update. Anybody here tried it yet?

~~~
celias
It took several minutes on a couple of Macs with fusion drives. It seemed
stuck at "Calculating time remaining..." but eventually finished, rebooted,
and continued installing, this time displaying a reasonable time remaining
value.

~~~
ams6110
I had this problem with the last Sierra update. Have not pulled the trigger on
High Sierra yet.

------
joemaller1
Direct download link from Apple Support:
[https://support.apple.com/kb/DL1946](https://support.apple.com/kb/DL1946)

------
postit
I find it interesting that the most notable names from P0 team aren't native
US citizens.

Even with dual citizenship they won't get clearance easily to work for NSA.

~~~
lisper
How on earth can you tell if someone is a native citizen from their name?

And what difference does it make if they're native or naturalized? One of the
bedrock principles of American democracy is (or at least is supposed to be)
that a citizen is a citizen. There's a reason that the phrase "second-class
citizen" is supposed to have universally pejorative connotations.

~~~
komali2
He's not wrong about it being more difficult for people with dual citizenship
to get security clearance, though. At least in that sense you can be a "second
class citizen."

~~~
lisper
I'm a naturalized U.S. citizen with a dual citizenship, and I had no trouble
(well, no more than the usual trouble) getting a security clearance.

But what does any of this have to do with anything anyway? The linked-to page
doesn't mention the NSA, P0 team, or security clearances.

------
johansch
This is their way of saying: upgrade from Sierra to the seemingly still
supremely buggy High Sierra or you'll get owned?

Gee, thanks.

~~~
nautilus12
Long time mac user, versed in Linux but have been using Mac for its
"convenience" for years: Upgraded to high sierra, and my power modes started
working totally irrationally with seemingly no explanation. When I closed the
lid it suddenly started going crazy and nearly burnt a hole in my desk. I
think it burnt out the logic board in this way, the GPU and kernel started
panicking after 2 minutes running. When turned off it would turn itself on and
go into this crazy hyper swap mode, the box when I was shipping it to
applecare seemed like it would catch on fire. Had to keep using SMC shutdown
to get it to turn off. I dont know if the issue was High Sierra, macbook pro
2016 (which are total crap in my opinion why in the world would you hardwire
the hard drive into the logic board??), or both, but it suffices to say I'm
buying a Thinkpad, and Im only using Ubuntu on it.

~~~
chisleu
Make sure it is a new Intel CPU too so you can't get power management to work
there either. #skylakeWasFun

