Apple has released a supplemental update for macOS High Sierra incorporating various bug fixes for Macs. Apple says it improves ‘installer robustness’, fixes a graphical problem with Adobe InDesign and addresses an issue with mail not sending from Yahoo accounts.

To update, open the Mac App Store and navigate to the Updates tab on a machine running macOS High Sierra.

Whilst Apple lists three very specific fixes in the release notes, the security notes indicate that the update also includes two important fixes.

One of these addresses an issue with APFS that has been circulating around the Internet today. The bug meant that some APFS volumes would reveal their password in plain text in the Disk Utility interface.

Rather than being saved into the password field, the password would be set as the ‘hint’ which is readable by anyone. You can see a demo of the problem here:

The supplemental update also includes a fix for a Keychain issue which allowed a malicious application to extract all passwords from the system it was running on.

Apple occasionally pushes out ‘supplemental updates’ for macOS when there are pressing issues that customers are hitting, but there are not enough changes to warrant a new version number (like macOS 10.13.1, which is currently in beta).

If you are installing High Sierra from the Mac App Store for the first time, Apple has updated the download to include the changes contained in the supplemental update.

As always, we’ll let you know about any other changes we see after applying the update, although we naturally do not expect to find anything substantial that isn’t already documented. High Sierra was released on September 25.

macOS High Sierra 10.13 Supplemental Update

Released October 5, 2017


Available for: macOS High Sierra 10.13

Impact: A local attacker may gain access to an encrypted APFS volume

Description: If a hint was set in Disk Utility when creating an APFS encrypted volume, the password was stored as the hint. This was addressed by clearing hint storage if the hint was the password, and by improving the logic for storing hints.

CVE-2017-7149: Matheus Mariano of Leet Tech


Available for: macOS High Sierra 10.13

Impact: A malicious application can extract keychain passwords

Description: A method existed for applications to bypass the keychain access prompt with a synthetic click. This was addressed by requiring the user password when prompting for keychain access.

CVE-2017-7150: Patrick Wardle of Synack

New downloads of macOS High Sierra 10.13 include the security content of the macOS High Sierra 10.13 Supplemental Update.

FTC: We use income earning auto affiliate links. More.

Check out 9to5Mac on YouTube for more Apple news:

You’re reading 9to5Mac — experts who break news about Apple and its surrounding ecosystem, day after day. Be sure to check out our homepage for all the latest news, and follow 9to5Mac on Twitter, Facebook, and LinkedIn to stay in the loop. Don’t know where to start? Check out our exclusive stories, reviews, how-tos, and subscribe to our YouTube channel

About the Author

Benjamin Mayo

Benjamin develops iOS apps professionally and covers Apple news and rumors for 9to5Mac. Listen to Benjamin, every week, on the Happy Hour podcast. Check out his personal blog. Message Benjamin over email or Twitter.