Go Update Your Mac ASAP To Fix Some Serious Vulnerabilities

Credit to Author: Wired Staff| Date: Sat, 07 Oct 2017 12:00:00 +0000

This week saw a tragic start, when late Sunday night a man named Stephen Paddock killed 58 people and wounded hundreds more in Las Vegas. Hoaxes and conspiracy theories flooded the internet in the immediate aftermath, as did questions—since answered—around how Paddock was able to fire at automatic speeds. We also took a look at gun-control tech—but didn't find much that's promising.

There's at least a little levity—although more tragicomic, really—in Yahoo announcing that its one-billion account leak in 2013 was actually a three-billion account leak. You also might enjoy this handy guide to when Donald Trump is tweeting, and when one of his staffers has commandeered his account. Also, the Department of Energy's email about not leaking leaked, so that's fun.

OK, back to terrible things. There's been an alarming rise in cyberattacks against abortion clinics lately. Another NSA contractor let critical data slip. The Equifax leak took on a terrible new dimensions in the form of a Congressional hearing. And Chief of Staff John Kelly's personal phone got compromised last December, which invites all sorts of potential terrible results.

And yet, somehow, there's more! As always, we’ve rounded up all the news we didn’t break or cover in depth this week. Click on the headlines to read the full stories.

On Thursday, Apple released the first update to High Sierra, the new macOS operating system that debuted at the end of September. And it’s an important one. High Sierra 10.13 had two disappointing credential security bugs at launch, but Apple says that both have been patched in this update. One is a bug that could have let attackers use a third-party app to pilfer usernames and passwords from macOS’s Keychain tool that stores credentials. The other is a flaw that revealed plain text passwords in the password hint for encrypted Apple File Systems volumes. If you added disk encryption with a hint, the plain text of your password would show up in the hint field in the Disk Utility. No bueno. If you already created an encrypted volume before you installed the update, you’ll need to back it up, wipe the drive, reformat the File Systems volume, and then restore from the backup. Either way, use Apple’s “Software Update” tool to download the patch. Like…right now.

Google's elite Project Zero team of cybersecurity specialists has called out Microsoft for issuing patches inconsistently, and in a manner that could tip off attackers to vulnerabilities in older versions of the operating system. The fix, Google says, is just to apply the same updates across all iterations, so that hackers can't infer what vulnerabilities might be hiding where based on a given patch.

Technically this happened last week, but for hopefully understandable reasons we're still mentioning here. Authorities recently apprehended Gal Vallerius in connection with selling drugs on the dark web bazaar Dream Market, allegedly under the handle OxyMonster. While Vallerius lives in France, the feds picked him up in Atlanta, as he was traveling to a "world beard-growing championship" in Austin, Texas. The dark web markets have been in a bit of chaos ever since this summer's Alphabay and Hansa takedowns, but have rarely seen such a hairy situation.

https://www.wired.com/category/security/feed/