Apple has issued an out of band security update to handle two major security issues in its recently released macOS 10.13 High Sierra desktop and laptop operating system, both of which could be exploited to reveal user credentials.
The supplemental update for macOS patches the CVE-2017-7150 vulnerability that allowed applications to extract passwords from the Keychain credentials manager.
Patrick Wardle of security consultancy Synack discovered in September ths year that all versions of macOS and OS X were vulnerable to malicious applications being able to dump and exfiltrate passwords from the Keychain, and posted a video demonstration of the vulnerability.
Wardle has yet to publish full technical details of the vulnerability.
Another flaw discovered by researcher Matheus Mariano affects the new Apple File System (APFS) that debuted in the production release of macOS shipped last week.
Mariano used the macOS Disk Utility to create a new encrypted APFS storage volume, and password protected it.
He also added a password hint. To his surprise, the hint revealed the actual password for the APFS volume in the macOS unlock dialog.
The problem only affects Mac computers with solid state storage, and Apple has patched the flaw in the latest macOS update.