Apple gets around to patching all the other High Sierra security holes
Another week, another Mac patch to install
Apple has released a security update to address nearly two dozen vulnerabilities in macOS High Sierra.
The update comes little more than a week after Apple had to kick out an emergency fix to close up a glaring hole in macOS that allowed anyone with access to a Mac (either in person or remote) to bypass the login screen and act as a root account.
This week's High Sierra update, numbered 10.13.2, addresses a total of 22 CVE-listed flaws in various components of the macOS operating system. Eight of the patched flaws could potentially allow code execution with system privileges if targeted.
Eight flaws were patched in the macOS Kernel itself. Those flaws, which can be targeted by installed applications, include two code execution vulnerabilities and six bugs that allow applications to read restricted memory sections.
The macOS Screen Sharing Server contains a bug that will be reminiscent of last week's 'IAmRoot' fiasco. That flaw, CVE-2017-13826, discovered by Toronto researcher Trevor Jacques, would let anyone with screen sharing access to a Mac to operate with root privileges, thanks to an error in the permissions handling.
The Intel Graphics Driver used by the Mac was the subject of three vulnerabilities, two of them found by Ian Beer of Google Project Zero. They include two arbitrary code execution bugs (CVE-2017-13883, CVE-2017-13875) and one (CVE-2017-13878) that could allow an attacker to crash the system or read kernel memory contents.
In the macOS Mail app, a bug (CVE-2017-13871) could cause some S/MIME encrypted messages to be sent out unencrypted, and a flaw in Mail Drafts (CVE-2017-13860) could allow for messages to be intercepted and read.
Those using older versions of macOS will get a separate update known as Security Update 2017-002 on Sierra and 2017-005 El Capitan. iTunes on Windows will also get an update.
Those who own multiple pieces of Apple-branded kit will find themselves with something of a backlog in patches. Earlier this week, Apple released an update for iOS that included security and stability fixes, followed by patches for tvOS and watchOS. ®