Last week, Apple released updates for all of its current operating systems and Safari web browser, as well as security updates for macOS Sierra and OS X El Capitan. These updates came with new features, functionality and security fixes and enhancements.
The following guide details what new features each updates includes, the bugs addressed—including patches for the APFS volume password bug and the QR code scanning bug—and where you can download each software update.
Apple’s new macOS High Sierra 10.13.4 is listed as an update that improves the stability, performance, and security of your Mac. Following are the bug fixes and new features included in macOS High Sierra 10.13.4:
The sorting of Safari bookmarks is a new feature that many Apple pro users have anticipated for nearly 15 years (about time!), as well as support for external graphics processors (eGPU’s). Unfortunately, Apple put some restrictions on their final implementation, such as compatibility only with Thunderbolt 3. There are ways around this, if you wish to experiment with these new features. The displaying of privacy icons is something I will touch on later, below.
As for security related fixes, macOS High Sierra 10.13.4 patches 31 bugs. These include:
System Preferences
Impact: A configuration profile may incorrectly remain in effect after removal
Description: An issue existed in CFPreferences. This issue was addressed through improved preferences cleanup.
WindowServer
Impact: An unprivileged application may be able to log keystrokes entered into other applications even when secure input mode is enabled
Description: By scanning key states, an unprivileged application could log keystrokes entered into other applications even when secure input mode was enabled. This issue was addressed by improved state management.
APFS
Impact: An APFS volume password may be unexpectedly truncated
Description: An injection issue was addressed through improved input validation.
Disk Management
Impact: An APFS volume password may be unexpectedly truncated
Description: An injection issue was addressed through improved input validation.
LinkPresentation
Impact: Processing a maliciously crafted text message may lead to UI spoofing
Description: A spoofing issue existed in the handling of URLs. This issue was addressed with improved input validation.
Apple addressed 5 security flaws in the Kernel, Intel and NVIDIA graphics drivers also received attention, and Mail received 2 fixes as well. On the APFS volume password issue, you may recall this article on the Mac Security Blog, where Intego pointed out an issue in which encrypted volume passwords were stored in logs in plaintext. This bug appears to have been fixed with macOS High Sierra 10.13.4. However, as Howard Oakley pointed out, passwords that were already stored in logs are still there! Check out his article for tips on what to do if you think this bug may have affected you.
macOS 10.13.4 is also the first update that can now be applied to all compatible and supported Apple systems. This means no more separate downloads are needed for iMac Pro users.
Also released were security updates for macOS 10.12 Sierra and OS X 10.11 El Capitan. In these security updates, Apple addressed 15 issues impacting the older operating systems.
For the full list of security bugs addressed by these updates, have a look here. For the complimentary list of components and macOS High Sierra 10.13.4, Security Update 2018-002 Sierra and Security Update 2018-002 El Capitan, you can download them from the App Store under the Updates tab. You can also download the updates from Apple’s website, here:
As always, when downloading software from any website, even a trusted one, make sure to verify the download before installing. Apple has guidelines on this that can be found here. All updates should include a firmware update, so you can expect your Mac to restart twice before the installation completes. Classic Mac Pro (pre-2013) users may have to run the Combo update for the firmware update to show. No details have been released about the firmware updates, but the common speculation is that it provides additional Meltdown/Spectre patches.
Available for iPhone 5s and later, iPad Air and later, and iPod touch 6th generation, the new iOS 11.3 fixes 44 security issues. iOS 11.3 also introduces new features, including:
The full list of new features can be found here.
The security fixes contained in iOS 11.3 include:
Find My iPhone
Impact: A person with physical access to the device may be able to disable Find My iPhone without entering an iCloud password
Description: A state management issue existed when restoring from a back up. This issue was addressed through improved state checking during restore.iCloud Drive
Impact: An application may be able to gain elevated privileges
Description: A race condition was addressed with additional validation.
Impact: An attacker in a privileged network position may be able to intercept the contents of S/MIME-encrypted e-mail
Description: An inconsistent user interface issue was addressed with improved state management.Safari
Impact: Visiting a malicious website by clicking a link may lead to user interface spoofing
Description: An inconsistent user interface issue was addressed with improved state management.
Note that one of the bugs mentioned in the macOS list above was an issue with LinkPresentation; this was also fixed in iOS 11.3. Although Apple doesn’t mention QR codes, this is apparently Apple’s fix for the issue we wrote about recently, where scanning QR codes with Apple’s Camera app could display the incorrect URL rather than the actual URL to which you would be taken.
iOS 11.3 also addresses 3 Kernel issues, 2 Telephony bugs (one of which could cause an SMS to unexpectedly restart the phone), and many WebKit flaws.
The full list of security issues patched in iOS 11.3 can be found here. iOS 11.3 can be downloaded over the air by going to Settings > General > Software Update. You can also connect your iOS device to your Mac and let iTunes do the update for you.
Available for all Apple Watch models, watchOS 4.3 contains new features, improvements and bug fixes. These include:
The security issues addressed are much the same as those patched in iOS 11.3. The full list of security issues addressed can be found here. watchOS 4.3 can be installed by connecting the watch to its charger, then on your iPhone open the Apple Watch app > My Watch tab > General > Software Update.
Available for Apple TV 4K and Apple TV (4th generation), tvOS 11.3 includes new features and functionality:
As with watchOS, the security issues addressed are much the same as those in iOS 11.3. The full list of security issues addressed can be found here. The tvOS update can be downloaded directly from the Apple TV by going to Settings > System > Update Software.
Included in macOS 10.13.4 and iOS 11, and also available for macOS 10.12.6 and 10.11.6, most of the changes found in the new Safari 11.1 are made under the hood. These include:
The security release notes show that 23 issues were addressed in Safari 11.1, mostly in WebKit. Safari 11.1 is available through the App Store under the Updates tab.
Circling back to the mention of Privacy Icons in macOS 10.13.4 High Sierra, iOS 11 and also part of tvOS 11.3, what’s that all about? This is a new feature that draws your attention to Apple features that want to access your personal information, for instance, when that access is requested. You will see a welcome screen on your Mac, iOS device or Apple TV after installing the latest update, and it will explain why it’s there. On an iPhone it will look like this:
More privacy enhancements and changes are coming in response to the new privacy laws in Europe, such as the ability to download a copy of all the data Apple has on you and the ability to delete your account. With Facebook’s controversial handling of user data back in the news, this is a good time for Apple to roll out such features as it makes the company look very good in contrast.
