Hacker News new | comments | show | ask | jobs | submit login
About the security content of macOS High Sierra 10.13.2 (apple.com)
208 points by firloop 10 months ago | hide | past | web | favorite | 115 comments

I find it interesting how many of those are attributed to project zero members

Good to know that at least Google is very concerned with MacOS security ;-)

A sizable percentage of their employees use macs, so it's not surprising.

And the impression i have is that the pixel products are in part an attempt at getting them to dogfood Google's own stuff.

I can't think of any Google product that isn't dogfooded by Googlers, to be frank.

When I attended Google IO a couple of years back, I was surprised how many Android team members were using iPhones.

Well if they want security, Android has only been half serious since 6 (entire systematic disk encryption, half-serious permissions...).

I've had a corporate Android phone since Ice-Cream Sandwich. I assume people that started before me used earlier versions too.

Maybe they want to have their enemy close. :D

<insert tsun zu quote here>

Adsense? I don't remember seeing internal advertisements powered by Adsense. :P

This made me imagine Googlers annoucing donuts in meeting room x to others via adsense.

I think part of the reason why Google even decided to make its own phones is because of security. If you read about their BeyondCorp enterprise security architecture, it emphasizes smartphone security quite a bit and how devices without timely updates, for instance, will be banned from the network (Google's own internal network that is).

Given how bad most Android OEMs are at keeping their devices up to date, Google didn't have much of a choice, other than relying on iPhones, too, for its internal security.


> I think part of the reason why Google even decided to make its own phones is because of security.

Huh. I think the main reason some people (myself included) go out of their way to avoid Google products as much as possible is because of security.

Google's security != your security.

I do trust Google to "get security right"[1]. I just don't trust them to secure things I don't want to share with them. Which happens to be a huge percentage of data on and generated by my phone.

[1] In the colloquial sense that people tend to use that phrase.

Do you mean privacy? I don't have issues with Google's handling of security.

That's privacy (ie google collects your data), not security (some random hacker collects your data).

There is a link albeit not a first order one. If your privacy gets invaded enough, then random third parties will get your data (legally, from google) and then some random hacker will collect it.

Why wouldn't they use their Nexuses? They even push the updates out themselves.

Not everyone has a Nexus or Pixel. It's BYOD except for Corp phones.

I was responding to this: "Given how bad most Android OEMs are at keeping their devices up to date, Google didn't have much of a choice, other than relying on iPhones, too, for its internal security."

My question was why Google would be relying on iPhones when they could just use Nexuses(then) or Pixels(now), since they are pushing their own updates (especially security).

Happens at FB (more or less). Employees get ad credits, because it's an incredibly important part of the platform.

well somebody's got to do it

Google has long been Apple's security division. Often I wonder if Apple has any security people at all. The last Safari update had 11 CVEs from Google. Most of Apple's updates credit one or more issues to Google, and often Apple credits OSS-Fuzz, which is also a Google project.

>Often I wonder if Apple has any security people at all.

It just feels like they don't since they don't let their security people have social media presences. For example, their recent hire Jonathan Zdziarski

It looks like you were cut off there…

No, reread it as "For example, [consider] their recent hire Jonathan Zdziarski[, whom you'll see is a leading iOS security researcher from a cursory Google search]"

The GP just omitted a bunch of implied statement, which isn't immediately obvious especially if you don't natively speak English.

He forgot a period at the end, so it does look like he got cut off potentially.

You don't credit internal employees in this way. These bugs were reported through official channels.

Security Update 2017-001 was released November 29, 2017: https://support.apple.com/en-ca/HT208315

Does it mean it's the first security update of the year? :(

No, just for this OS

High Sierra was released in June 2017. So that's still 6+ months without security patches. Not sure if that's a great track record or poor patching planning?

Just let my Mac take in this update, now sitting in front of it watching it say

“About 3 minutes remaining”

And then jump to

“About 29 minutes remaining” :-( The price I pay for being dumb to let it update during the work day. OSX is starting to feel more like the old Windows....

I respect people who choose Macs and MacOS but there are reasons why I use Linux Mint and other versions of GNU/Linux.

Isn’t it ever! The install update now or remind later notifications is classic Windows UI.

OS X through around 10.4 would run most updates in the background and you could restart later at your own leisure. It was fantastic back then.

And what time did it actually take in the end?

For me, about a hour and 2 (or 3?) reboots. And this is minor version update that consists only in bugfixes. I don't understand why overwritting few megabytes of files takes so long time and requires multiple reboots.

I'd say between 15 to 20 minutes.

Lemme guess - your fan is buzzing too?

From a cursory glimpse, it seems Apple only pathes CVEs in OSS components when the OS itself gets an upgrade.

The next time there is a problem in Apache, the chances seem pretty high it will remain unpatched on macOS for weeks, if not months.

Apple sometimes distributes separate security updates, depending on the severity of the issue.

Why does macOS ship with Apache ?

Before Mountain Lion, a personal web server was available under System Preferences > Sharing > Web Sharing.

They removed the UI to enable it in Mountain Lion, but the functionality is still built in and can be enabled if you install Apple's MacOS Server app from the app store. Or you can just enable it from the command line.

It was a really nice idea. I wonder how often it got used. I think it was a conceptual relic of the [Jeff Goldblum era](https://www.youtube.com/watch?v=dQmK1CnwOUI) of iMacs with instant Internet and personal webpages.

The "Jeff Goldblum" era is still alive, just not in the minds of people trying to sell cloud-based alternatives

When people say "alive" in casual conversation, they mean alive for larger amounts of people than statistical noise...

I suppose that could be an insult, if you were actually right

No, personal web pages have been replaced with Facebook accounts. Nobody wants or needs a website to show off photos and videos and personal updates anymore.

They do if they don’t want their photos of their kids plastered with ads for fart apps and other unsavory garbage, though...

But nobody in the target audience will visit it, because it's some random website and not a Facebook page. So what good is a website that's never visited?

heh, remember when you could actually host your own website from your home connection on port 80? Dynamic DNS services, etc... ISPs put a quick end to that, though :(

Not really. I still host a number of sites on my home linux box.

Nowadays you need PAAS cloud hosting with Kubernetes on at least 3 servers, monitoring SAAS, log storage SAAS, CI for js transpilers, CDN for assets, Cloudflare, SSL certificate, checklist for PWA compliance, UX guidelines, AMP, OpenGraph metadata. Because best practices!

I... still do?

This is more about ISPs where you live than anything else. Most people don't want the hassle.

Yeah, guess it varies, but a lot of ISPs block incoming port 80 connections. Common enough that noip.com has a "port redirection" feature, interestingly enough: http://www.noip.com/support/knowledgebase/my-isp-blocks-port...

It used to be the basis for personal web pages, and deployable to via iWeb, the “easy” web authoring tool that baked text into images...

Also, the server variants ran most services (calendars, etc.) behind it.

Edit: premature posting.

I assume it's so that I can run Bugzilla on my laptop.

Right, I feel like anyone who would need apache on MacOS would know how to install it...

AFAIK macOS built in Apache is not started by default, so it is not a security risk anyway

That's a strange way to look at things. You could argue the computer doesn't come started by default so it's not a security risk... If there's an option to start it, it's a risk.

Yeah, they should sell those Macs without a start button. That should keep them secure :)

I was hoping this would fix my "Month 13 is out of bounds" error. It doesn't I still have apps I cannot run now because of this. Looks like it is time to back everything up and wipe my disk back to 10.13 with no other updates.

Wow, thanks for mentioning this. My Mac has been freezing when opening tons of apps lately, making it basically useless, and I couldn’t figure out what was wrong until I checked this. I never would have guessed it was a core OS issue. What a ridiculous bug to not patch immediately.

Apparently you can at least mitigate it partly by disabling ReportCrash.

Can you share how to do this? Anything I can try to be able to launch some of my critical apps might help.

Edit: for those who are curious: https://www.gregoryvarghese.com/reportcrash-high-cpu-disable...

Here’s an ok description if folks (like me) are curious: https://robservatory.com/month-13-is-out-of-bounds/ .

Nothing seems to help me in this article. Thanks for posting it. The more we know the better.

no, not fixed and joined by MirrorDisplays:

com.apple.xpc.launchd[1] (com.apple.preference.displays.MirrorDisplays): Service only ran for 0 seconds. Pushing respawn out by 10 seconds.

How to update when App Store is not working?

> The operation couldn’t be completed. (NSURLErrorDomain error -1012.)

Same error is shown on terminal too.

Do you have any antivirus or (shady) anti-malware software installed? Not necessarily the problem, but it wouldn't be the first time..

No. Last successful update was just before this root bug.

Try and grab yourself a combo update file and apply it to your system.

Unable to install from combo update file.

macOS 10.13.2. Update can't be installed on this disk. In order to upgrade to newer version of macOS High Sierra on this disk, please see the instructions here [https://beta.apple.com/sp/betaprogram/apfsfusion].

Looks like only way out is reinstall of macOS.

Macbook Air 2013

Maybe Apple should hire a few more of those mythical C developers that never make mistakes.

3 x out of bounds errors

6 x memory corruption issues

People are reporting problems on Reddit https://www.reddit.com/r/apple/comments/7hzy3a/macos_10132_u... with the update. Anybody here tried it yet?

It took several minutes on a couple of Macs with fusion drives. It seemed stuck at "Calculating time remaining..." but eventually finished, rebooted, and continued installing, this time displaying a reasonable time remaining value.

I had this problem with the last Sierra update. Have not pulled the trigger on High Sierra yet.

Yep, no problems (on a 2012 Air). Doesn’t seem to have fixed the Month 13 problem though…

No problem on Air 2012. Upgrade took shorter time than my shower. :D

Direct download link from Apple Support: https://support.apple.com/kb/DL1946

I find it interesting that the most notable names from P0 team aren't native US citizens.

Even with dual citizenship they won't get clearance easily to work for NSA.

How on earth can you tell if someone is a native citizen from their name?

And what difference does it make if they're native or naturalized? One of the bedrock principles of American democracy is (or at least is supposed to be) that a citizen is a citizen. There's a reason that the phrase "second-class citizen" is supposed to have universally pejorative connotations.

bedrock principles of American democracy

Clearances aren't democratic (nor should they be).

No idea how they can tell citizen status from the name, though. I thought the US was made up of people form all over earth with all kinds of backgrounds so one couldn't tell from their name.

He's not wrong about it being more difficult for people with dual citizenship to get security clearance, though. At least in that sense you can be a "second class citizen."

I'm a naturalized U.S. citizen with a dual citizenship, and I had no trouble (well, no more than the usual trouble) getting a security clearance.

But what does any of this have to do with anything anyway? The linked-to page doesn't mention the NSA, P0 team, or security clearances.

Might be hard for 1st gen citizens when I started work late 10's in the UK all 4 grandparents had to be Uk Nationals.

First:, I used notable names instead of notable persons. If that caused a confusion or misunderstanding to the point you believe I was segregating or second classing anyone, pardon me.

Second: My intent was to reply to Kiddico's message which says "I find it interesting how many of those are attributed to project zero members" That's the relation of p0 with my reply

Third: Ben Hawkes(NZ), Tavis Ormandy(UK), Ian Beer(UK) and Matt Tate(UK) are often credited as notable members of the project zero team.

>How on earth can you tell if someone is a native citizen from their name?

Why are you playing dumb? He's clearly talking about someone with clearly foreign name, not someone from Canada.

I'm sick of people acting willfully ignorant in their arguments

Clearly foreign, like Bezos, Obama, or Wozniak?

We need immigration to have foreigners come here, make stsrtups, grow our economy, and create jobs.

The student visa should lead to a green card. Since it does not immigrants go back to their home nation and do startups there.

Not to be political, but Trump does not get that yet.

And those are exceptions to the norm.

Look at the census of the 100 most common American names, they're either traditional American names or Spanish names from those who immigrated here over the last 50 years. https://www.thoughtco.com/most-common-us-surnames-1422656

Those top 100 names total 50 million people, out of a total US population of 250 million (at time of 1990 census).

That means that 80% of the US population has a surname other than those on that list. Assuming that 80% of the US poplulation are "foreign" because they aren't in the top 100 most common surnames, seems rather foolish.

A lot of those look like traditional British names (also foreign).

Just want to repeat what lisper said, and even more emphatically as this is personal to me, you cannot tell a native US citizen from their name. I myself have an 11 character surname from the Baltic States. I was born in Washington DC.

What exactly is a native born American name to you? English origin? German? I honestly think you should be ashamed of what you wrote. It's deeply offensive to those of us with roots in other places.

I have no idea if this is the case, but it could also be possible that the person you are replying to actually knows of the people listed. He might not be basing his observation on the names themselves.

I have encountered too many similar comments to believe that is the case.

Please see my reply to lisper


It's neither Russian nor German. Baltic is a linguistic category on its own. Specifically Lithuanian in my case. Latvian is related. There were also Baltic language speakers in Prussia before it became majority German speaking.

"Surname from the Baltic States" implies linguistic precision and specificity that "surname from the United States" does not convey and is in no means equivalent to. There is some vagueness in what I said but I left it there intentionally, people don't get crazy specific about personal details here usually. I was meaning to say I have a "foreign" surname.

Your wrong about their being no traditional American. A traditional United States surname is generally English, Scottish, or Welsh as those were the primary people living in the United States from 1550-1850.

For instance, I remember from History class that there were atleast 3 famous guys from the 1700s named "John Smith"

You're wrong about the history of the United States. Dutch New Yorkers. Germans in Pennsylvania. (German is the predominant ethnicity of white Americans by the way.) French in Maryland. Lots of land purchased from French and robbed from Spaniards. And I didn't even mention the native peoples... All of these groups exist in significant numbers before the 1800s.

Since you're interested in around 1850, around there starts immigration from places like Ireland, Italy, Poland.. even a few Baltic people.

> robbed from Spaniards

They were Mexican by that point, right?

Depends where you are talking about. In the southwest or the west coast yes. I was thinking of Florida though, which was earlier. Though as I look that up maybe "robbed" is not the right word.

Then of course much later there was the war with Spain which resulted in caribbean US territories... This is becoming a big tangent though.

Here's a list of the top 100 American surnames. The majority of them are British/Scottish/Welsh: https://www.ssa.gov/oact/babynames/decades/century.html

No matter what you think, the British Isles are the ones who populated the country.

No matter what you think, white Americans are mostly German. Here is the top hit when I googled that:

"German-Americans are America’s largest single ethnic group .... In 2013, according to the Census bureau, 46m Americans claimed German ancestry: more than the number who traced their roots to Ireland (33m) or England (25m). "


> Here's a list of the top 100 American surnames. The majority of them are British/Scottish/Welsh

Lots of people of other origins adopted English surnames because the British were the dominant early group, and then later people with British names were, even though not always of British descent.

So, now, sure, British surnames are dominant, but that's often not indicative of British descent.

People often adopted English surnames or Anglicized their names, especially around WWI (also when the huge number of German language newspapers mostly closed and even towns named after German places were renamed).

> I find it interesting that the most notable names from P0 team aren't native US citizens.

How do you know?

> Even with dual citizenship they won't get clearance easily to work for NSA.

Not being a native citizen doesn't mean you are a dual citizen; those are orthogonal concepts. Dual citizenship are frequently native-born (having citizenship-by-birth in more than one country is a common route to dual citizenship) and naturalized citizens often do not retain foreign citizenship (they formally must renounce it, but some countries don't automatically—or ever—give effect to such renunciation.)

Huh. What kind of computers are they using over at the NSA, anyway? What about their laptops?

This is their way of saying: upgrade from Sierra to the seemingly still supremely buggy High Sierra or you'll get owned?

Gee, thanks.

Long time mac user, versed in Linux but have been using Mac for its "convenience" for years: Upgraded to high sierra, and my power modes started working totally irrationally with seemingly no explanation. When I closed the lid it suddenly started going crazy and nearly burnt a hole in my desk. I think it burnt out the logic board in this way, the GPU and kernel started panicking after 2 minutes running. When turned off it would turn itself on and go into this crazy hyper swap mode, the box when I was shipping it to applecare seemed like it would catch on fire. Had to keep using SMC shutdown to get it to turn off. I dont know if the issue was High Sierra, macbook pro 2016 (which are total crap in my opinion why in the world would you hardwire the hard drive into the logic board??), or both, but it suffices to say I'm buying a Thinkpad, and Im only using Ubuntu on it.

Make sure it is a new Intel CPU too so you can't get power management to work there either. #skylakeWasFun

If I'm reading it right, all those patches are also available for Sierra 10.12.6 and El Capitan 10.11.6 (and will presumably be delivered by an update there), except for the ones that say don't apply to Sierra 10.12.6 (the vulnerability doesn't exist there).


> macOS High Sierra 10.13.1, macOS Sierra 10.12.6, OS X El Capitan 10.11.6


> Available for: macOS High Sierra 10.13 and macOS High Sierra 10.13.1

> Not impacted: macOS Sierra 10.12.6 and earlier

Most of the CVEs are fixed in Sierra and El Capitan as well.

Yep... installed the Sierra security update this morning.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact