Hacker News new | past | comments | ask | show | jobs | submit login
About the security content of macOS High Sierra 10.13.3 (support.apple.com)
64 points by dhbanes on Jan 23, 2018 | hide | past | web | favorite | 45 comments

Funnily, if you look at the description in the app store, it makes it look like a completely skippable update, especially if you don't use Messages.

> This update:


> * Addresses an issue that could cause Messages conversations to temporarily be listed out of order

"Arbitrary code execution" means very little to most users, I'd assume. Fixing Messages is something they can immediately understand.

Plus, the Messages bug has been driving me up the wall for weeks, so I'm glad it's fixed.

> "Arbitrary code execution" means very little to most users, I'd assume. Fixing Messages is something they can immediately understand.

It doesn't say "fixing messages". It doesn't hint at a high impact CVE. The only mention of any form of "security" is the link to the KB article, which I only caught after I noticed this HN post.

As a software engineer at a software+network security company and in investor in Apple, I'm not impressed. Bottom line: there was no urgency baked into the update description.

You can subscribe to their emails if interested. These security update lists are released alongside every OS update.

There may yet be more security fixes included than the article currently lists. It seems that for the last few releases, Apple has been quietly adding and updating CVEs to the release notes days and weeks after the initial publication, not least of which was the meltdown mitigations in 10.13.2 (that update was pushed almost a month before the meltdown embargo was lifted, and the fact that patches were already included was kept secret).

For a scary-looking example of what macOS 10.13.3 / iOS 11.2.5 may secretly contain fixes for, take a look at https://twitter.com/ranixch/status/955921380855418882

I believe the Twitter user you link was credited on the page actually.

Huh, that's odd. I thought I seached for the CVE number on the page before posting this. Maybe the page has been quietly updated already. Or maybe I was confused. Actually, I was probably confusing the macOS and iOS announcements.

Regarding IOHIDFamily: An application may be able to execute arbitrary code with kernel privilege

I found this: https://siguza.github.io/IOHIDeous/ that was published Dec 31.

It took Apple 23 days since it was public before they released a fix.

> The exploit accompanying this write-up consists of three parts:

> poc (make poc) Targets all macOS versions, crashes the kernel to prove the existence of a memory corruption.

> leak (make leak) Targets High Sierra, just to prove that no separate KASLR leak is needed.

> hid (make hid) Targets Sierra and High Sierra (up to 10.13.1, see README), achieves full kernel r/w and disables SIP to prove that the vulnerability can be exploited by any unprivileged user on all recent versions of macOS [!!!!!!!!!]

For what it's worth, the GitHub README.md calls it a Zero day so they apparently didn't give Apple any heads up to prepare for the release of the exploit. While a same day/same week fix is ideal, 23 days isn't that bad given a QA cycle. Patches for Meltdown/Spectre are just still their way out/not yet released for Microsoft's Server OSes for a point of comparison [1].

I wish I could have found something newer, but according to Symantec the average resolution time found in their 2015 study was 69 days[2]. The last time Apple rushed a fix out.. it didn't go so well[3].

Now, while I'm waxing poetic, I may as well frighten you with a recent RAND corp study about how long Zero Days can be known privately before publicly disclosed [4]. It also doesn't take too long to weaponize them [5].

This stuff sucks and is really nerve racking for anyone involved in security even tangentially. It's really easy to criticize but I guarantee that anyone on Hacker News who has written any meaningful software has released a security flaw. If you think you haven't you're absolutely kidding yourself and should reevaluate your stance.

[1] https://social.technet.microsoft.com/Forums/windowsserver/en...

[2] https://www.symantec.com/connect/blogs/guide-zero-day-exploi...

[3] https://nakedsecurity.sophos.com/2017/11/30/apples-blank-roo...

[4] https://www.rand.org/news/press/2017/03/09.html

[5] https://securityintelligence.com/news/zero-day-research-time...

Wow, 0day avg lifespan is 6.9 years with a 5.7percent collision rate.

This is the weirdest update I've ever applied.

Download>Click install>30 seconds later it reboots>Apple logo gray screen I see "installing software updates" and a status bar that gets 25% of the way done and then the screen goes black, fans go high, then a reboot>screen is still black, fans go high, 3 minutes another reboot>screen is still black, fans go high for 30 seconds and now nothing for the past 10 minutes.

Power light is on, caps lock key does light up, the keyboard lighting comes on if I touch keys and I can increase or decrease that lighting with the proper key, but no backlight. WTH?

OMFG, now 15 minutes after starting, more fan noise for about 30 seconds...

So it's still doing something, but with a black screen.

No change 35 minutes after starting the update...

After 2 hours I gave up and held down the power button for 5 seconds to force poweroff. Next reboot, I get a boot chime, but still a black screen. Force power off. Cold boot again and zap PRAM, still black screen. This update has fucked my mac over, or it's one hell of a coincidental hardware fail

It really pisses me off when Apple buries firmware updates into system software updates. I have no idea if this update contained a firmware update, and whether this problem I'm having now might be a failed firmware update? But I'm pissed off. If Apple wants to prevent me from installing OS updates until I have a firmware update applied, they can do that, but this total lack of disclosure what is being done, and therefore what failed, is really really fucking annoying.

It was fine for me. Same mbp retina 8gb system incrementally updated since 10.9.5. Took a while but munki installed the update without issue. If you have FV2 enabled it won't reboot automatically (ie. shutdown) despite munki 3's fdesetup authrestart ability? Unless I misread that update which is totally possible.

I also had to log in at one point (FileVault I guess) and then the login progress bar froze halfway for a while and I guess it continued installing something.

I wonder if there are firmware updates / touchbar updates in here.

I find this title unhelpful. Is there something specific I should be aware of in this update?

15 security fixes, most of which are "read restricted memory," "arbitrary code execution," and "arbitrary code execution with kernel privileges."

Several of the arbitrary code executions are triggerable by processing maliciously crafted web content. There's also a local sandbox bypass.

Not a big deal for user-visible features, a very big deal for security vulnerabilities.

The sheer number of vulnerabilities that this patch fixes?

2.17 GB!

This is just something I've never understood.

What is taking up that 2.17GB??? Are they just recompiling every shared library or something?

How is it that their updates (even on iOS) are so massive even if they don't include (or need to include) new graphics, etc.

Sierra update is 731MB. See https://support.apple.com/kb/DL1956?viewlocale=en_US&locale=... BTW... not sure why the downloaded file is actually downloaded on _http_

Apple's signing the updates anyway; HTTP will be much more performant.

HTTP probably helps admins of large networks cache downloads for their 5000 computers that are all updating at once (if they're not running Apple's update cache server)

This is also how Appleā€™s cache server works, otherwise it would need to break the TLS connection, and that is not an improvement.

I have personally looked at the accompanying connections and it looks like Apple sends hashes over a proper TLS connection. Updates are also signed as another layer of security.

Meltdown and Spectre require recompiling... but it sounded they already did back in December. Did they lie?

So what? 30 sec download time.

Or multiple hours for those of us who are still plagued with slow internet at home.

Luckily it's not that bad for me anymore, but I still sympathise with everyone with slow connection speeds, because you can't "just" download an update.

Slow internet and/or multiple macOS devices... (3 Apple laptops, 2 mac minis, and an iMac hanging off my ADSL...)

The ability for windows 10 updates to be shared across computers in a network (signatures are still verified of course) doesn't sound so bad in cases like this.

High Sierra has an option for a Mac to cache updates and serve them over the local network to other macs.

This feature used to only be in macOS Server but is now in normal macOS too.

Really? Cool! Thans for pointing it out. (goes googling for how to make sure I'm using this...)

I though most of the developed world is on 1 Gbit / 1 Gbit FTTH at this point.

Interesting definition of "developed"...

I'm in Sydney, at home my fastest option is ADSL2+ which gets me 15-16Mbit on a good day (7-8 if it's rained much recently...)

My ISP contacted me mid last year to offer pre-signups for our "National Broadband Network" on Sept 4th. A couple of months ago it became public that the old HFC cables they were planning to use were completely not up to the task, with major problems reported pretty much everywhere it'd already been rolled out, and they've now stopped and new HFC rollout using that (Optus) coax for at least 9 months.

I _think_ Sydney Australia counts as "the developed world", but even 100Mbit for me right now is at least a year away...

Why do you think this? The U.S. is among the worst in the "developed" world. More specifically it's highly fragmented.

https://www.statista.com/statistics/616210/average-internet-... https://www.recode.net/2017/9/7/16264430/fastest-broadband-s...

Hardly. I live in Germany and I was able to upgrade to 50,000kbit/s, of which I effectively get ~35,000 most of the time, only last year. Before that it was 5,000 for a few years and before that I was happy to have 1,000.

And I don't live in the country either, I'm a 10 minute walk away from a technical university und multiple research institutes.

Funnily enough, I had 100mbps fibre when I lived in Africa. Now that I live in the UK my best option is 12mbps ADSL.

I'm in freaking Seattle and this isn't available in most of the city limits.

That is utterly incorrect. I get 15% of that under ideal circumstances.

150Mb/s sounds pretty good...I get about 10% of that.

Parent comment said 1Gbit, not 1Gbyte. I too get about 15Mb/s

For you, maybe.

Attitudes like this are why it's okay for websites to have a 1 MB javascript payload.

A lot fewer people complain about a 1 MB image payload than they do about a 1MB js payload. Why is that?

And a 30-40 minute install!

Is this the second or third time the're fixing Meltdown?

If you look at the Mac security updates lately, you can see avalanches of "execute arbitrary code" fixes for every release. It seems that Mac Os X has more holes than a factory of Swiss cheese.

EDIT: Why was this downvoted?

If you down vote at least you can comment why. These are the security updates since Oct:





I completely agree that it's disconcerting. At least they are transparent about it and no other mainstream OS seems to be doing better.

That's the problem with C, it can't be written securely and these bugs will continue to be fixed for decades.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact