Apple on Dec. 6 released macOS High Sierra 10.13.2, a security update that patches multiple security issues in the desktop operating system, including a critical root password vulnerability, as well as provided details on the security content of iOS 11.2.
iOS 11.2 became generally available on Dec. 2, though Apple withheld information on the included fixes until macOS 10.13.2 was released.
Among the most impactful issues addressed in macOS 10.13.2 is a vulnerability identified as CVE-2017-13872, which Apple has labeled as a Directory Utility issue.
“An attacker may be able to bypass administrator authentication without supplying the administrator’s password,” Apple warned in its advisory. “A logic error existed in the validation of credentials. This was addressed with improved credential validation.”
Although Apple’s description of the CVE-2017-13872 flaw is somewhat innocuous, the impact is quite severe. Any local user on a macOS system potentially could get root access without the need to enter a password. The issue first gained attention on Nov. 28 when security researcher Lemi Orhan Ergin tweeted to Apple about the flaw. Apple provided an interim fix for the issue in its Security Update 2017-001 release on Nov. 29.
Apple uses several common subsystems that are shared across macOS and iOS, which often means that a vulnerability in iOS will also be present in macOS. There are eight common patches in the macOS 10.13.2 and iOS 11.2 security updates. Six of the common flaws (CVE-2017-13847, CVE-2017-13876, CVE-2017-13855, CVE-2017-13867, CVE-2017-13865 and CVE-2017-13869) were reported by Google Project Zero security researchers. The CVE-2017-13847 flaw is a memory corruption issue with the I/O Kit component that provides access to drivers.
iOS and macOS also have a similar kernel, which was at risk from multiple flaws, including CVE-2017-13867 and CVE-2017-13876, both memory corruption issues. The iOS and macOS kernel was also at risk from a trio of input validation issues (CVE-2017-13865, CVE-2017-13868 and CVE-2017-13869) that could have potentially enabled a malicious application to read restricted memory.
Of note, iOS 11.2 provides a patch for the KRACK WiFi vulnerability to help protect older iOS devices. KRACK is an acronym for Key Reinstallation Attacks and was first publicly reported on Oct. 16. The KRACK attack enables attackers to exploit WPA2 WiFi security.
Apple issued a patch for iOS 11.1 and macOS 10.13.1 on Oct. 31, providing a patch for some, but not all, impacted Apple devices. On iOS, the original patch only supported iPhone 7 and later devices, while the new patches in iOS 11.2 also support the iPhone 5S, iPhone SE and the iPhone 6 series of phones.
Apple users can update to the latest iOS and macOS releases via the Apple App Store.
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.