
About the security content of macOS High Sierra 10.13.3 - dhbanes
https://support.apple.com/en-us/HT208465
======
anonova
Funnily, if you look at the description in the app store, it makes it look
like a completely skippable update, especially if you don't use Messages.

> This update:

>

> * Addresses an issue that could cause Messages conversations to temporarily
> be listed out of order

~~~
saagarjha
"Arbitrary code execution" means very little to most users, I'd assume. Fixing
Messages is something they can immediately understand.

Plus, the Messages bug has been driving me up the wall for weeks, so I'm glad
it's fixed.

~~~
thephyber
> "Arbitrary code execution" means very little to most users, I'd assume.
> Fixing Messages is something they can immediately understand.

It doesn't say "fixing messages". It doesn't hint at a high impact CVE. The
only mention of any form of "security" is the link to the KB article, which I
only caught after I noticed this HN post.

As a software engineer at a software+network security company and in investor
in Apple, I'm not impressed. Bottom line: there was no urgency baked into the
update description.

~~~
willstrafach
You can subscribe to their emails if interested. These security update lists
are released alongside every OS update.

------
0x0
There may yet be more security fixes included than the article currently
lists. It seems that for the last few releases, Apple has been quietly adding
and updating CVEs to the release notes days and weeks after the initial
publication, not least of which was the meltdown mitigations in 10.13.2 (that
update was pushed almost a month before the meltdown embargo was lifted, and
the fact that patches were already included was kept secret).

For a scary-looking example of what macOS 10.13.3 / iOS 11.2.5 may secretly
contain fixes for, take a look at
[https://twitter.com/ranixch/status/955921380855418882](https://twitter.com/ranixch/status/955921380855418882)

~~~
willstrafach
I believe the Twitter user you link was credited on the page actually.

~~~
0x0
Huh, that's odd. I thought I seached for the CVE number on the page before
posting this. Maybe the page has been quietly updated already. Or maybe I was
confused. Actually, I was probably confusing the macOS and iOS announcements.

------
Iknowsecurity
Regarding IOHIDFamily: An application may be able to execute arbitrary code
with kernel privilege

I found this:
[https://siguza.github.io/IOHIDeous/](https://siguza.github.io/IOHIDeous/)
that was published Dec 31.

It took Apple 23 days since it was public before they released a fix.

> The exploit accompanying this write-up consists of three parts:

> poc (make poc) Targets all macOS versions, crashes the kernel to prove the
> existence of a memory corruption.

> leak (make leak) Targets High Sierra, just to prove that no separate KASLR
> leak is needed.

> hid (make hid) Targets Sierra and High Sierra (up to 10.13.1, see README),
> achieves full kernel r/w and disables SIP to prove that the vulnerability
> can be exploited by any unprivileged user on all recent versions of macOS
> [!!!!!!!!!]

~~~
Moto7451
For what it's worth, the GitHub README.md calls it a Zero day so they
apparently didn't give Apple any heads up to prepare for the release of the
exploit. While a same day/same week fix is ideal, 23 days isn't that bad given
a QA cycle. Patches for Meltdown/Spectre are just still their way out/not yet
released for Microsoft's Server OSes for a point of comparison [1].

I wish I could have found something newer, but according to Symantec the
average resolution time found in their 2015 study was 69 days[2]. The last
time Apple rushed a fix out.. it didn't go so well[3].

Now, while I'm waxing poetic, I may as well frighten you with a recent RAND
corp study about how long Zero Days can be known privately before publicly
disclosed [4]. It also doesn't take too long to weaponize them [5].

This stuff sucks and is really nerve racking for anyone involved in security
even tangentially. It's really easy to criticize but I guarantee that anyone
on Hacker News who has written any meaningful software has released a security
flaw. If you think you haven't you're absolutely kidding yourself and should
reevaluate your stance.

[1]
[https://social.technet.microsoft.com/Forums/windowsserver/en...](https://social.technet.microsoft.com/Forums/windowsserver/en-
US/4f10320d-19f4-49a1-9ef3-673787e541cd/meltdown-patch-for-windows-
server-2012-without-r2-and-2008-r2-still-not-released-regedit-
key?forum=winserver8gen)

[2] [https://www.symantec.com/connect/blogs/guide-zero-day-
exploi...](https://www.symantec.com/connect/blogs/guide-zero-day-exploits)

[3] [https://nakedsecurity.sophos.com/2017/11/30/apples-blank-
roo...](https://nakedsecurity.sophos.com/2017/11/30/apples-blank-root-
password-fix-needs-a-fix-of-its-own-here-it-is/)

[4]
[https://www.rand.org/news/press/2017/03/09.html](https://www.rand.org/news/press/2017/03/09.html)

[5] [https://securityintelligence.com/news/zero-day-research-
time...](https://securityintelligence.com/news/zero-day-research-time-from-
discovery-to-exploit-shrinks-to-four-days/)

~~~
wand3r
Wow, 0day avg lifespan is 6.9 years with a 5.7percent collision rate.

------
cmurf
This is the weirdest update I've ever applied.

Download>Click install>30 seconds later it reboots>Apple logo gray screen I
see "installing software updates" and a status bar that gets 25% of the way
done and then the screen goes black, fans go high, then a reboot>screen is
still black, fans go high, 3 minutes another reboot>screen is still black,
fans go high for 30 seconds and now nothing for the past 10 minutes.

Power light is on, caps lock key does light up, the keyboard lighting comes on
if I touch keys and I can increase or decrease that lighting with the proper
key, but no backlight. WTH?

OMFG, now 15 minutes after starting, more fan noise for about 30 seconds...

So it's still doing something, but with a black screen.

No change 35 minutes after starting the update...

~~~
cmurf
After 2 hours I gave up and held down the power button for 5 seconds to force
poweroff. Next reboot, I get a boot chime, but still a black screen. Force
power off. Cold boot again and zap PRAM, still black screen. This update has
fucked my mac over, or it's one hell of a coincidental hardware fail

It really pisses me off when Apple buries firmware updates into system
software updates. I have no idea if this update contained a firmware update,
and whether this problem I'm having now might be a failed firmware update? But
I'm pissed off. If Apple wants to prevent me from installing OS updates until
I have a firmware update applied, they can do that, but this total lack of
disclosure what is being done, and therefore what failed, is really really
fucking annoying.

------
kylec
I find this title unhelpful. Is there something specific I should be aware of
in this update?

~~~
wlesieutre
15 security fixes, most of which are "read restricted memory," "arbitrary code
execution," and "arbitrary code execution with kernel privileges."

Several of the arbitrary code executions are triggerable by processing
maliciously crafted web content. There's also a local sandbox bypass.

Not a big deal for user-visible features, a very big deal for security
vulnerabilities.

------
chachra
2.17 GB!

~~~
needusername
So what? 30 sec download time.

~~~
Cu3PO42
Or multiple hours for those of us who are still plagued with slow internet at
home.

Luckily it's not that bad for me anymore, but I still sympathise with everyone
with slow connection speeds, because you can't "just" download an update.

~~~
needusername
I though most of the developed world is on 1 Gbit / 1 Gbit FTTH at this point.

~~~
mwilliaams
That is utterly incorrect. I get 15% of that under ideal circumstances.

~~~
quicklyfrozen
150Mb/s sounds pretty good...I get about 10% of that.

~~~
mwilliaams
Parent comment said 1Gbit, not 1Gbyte. I too get about 15Mb/s

------
yeasayer
Is this the second or third time the're fixing Meltdown?

------
Iknowsecurity
If you look at the Mac security updates lately, you can see avalanches of
"execute arbitrary code" fixes for every release. It seems that Mac Os X has
more holes than a factory of Swiss cheese.

EDIT: Why was this downvoted?

If you down vote at least you can comment why. These are the security updates
since Oct:

[https://support.apple.com/en-us/HT201222](https://support.apple.com/en-
us/HT201222)

[https://support.apple.com/en-us/HT208331](https://support.apple.com/en-
us/HT208331)

[https://support.apple.com/en-us/HT208165](https://support.apple.com/en-
us/HT208165)

[https://support.apple.com/en-us/HT208315](https://support.apple.com/en-
us/HT208315)

~~~
blub
I completely agree that it's disconcerting. At least they are transparent
about it and no other mainstream OS seems to be doing better.

That's the problem with C, it can't be written securely and these bugs will
continue to be fixed for decades.

