macOS High Sierra 10.13.4 release notes

Christian Zibreg ∙ Updated October 17, 2018

On March 30, 2018, Apple released the major macOS High Sierra 10.13.4 software update for Mac with under-the-hood tweaks, a bunch of security fixes and some feature additions, including better support for external GPUs, Business Chat in Messages and more.

macOS High Sierra 10.13.4 is available for all Mac computer models that are compatible with High Sierra and can be downloaded from Mac App Store’s Updates tab. If you need the full installer, it’s a 4.8-gibayte download via Mac App Store or Apple.com.

Here’s everything included in this macOS update.

macOS High Sierra 10.13.4 release notes

The macOS High Sierra 10.13.4 update improves the stability, performance and security of your Mac, and is recommended for all users.

  • Adds support for Business Chat conversations in Messages in the United States
  • Includes iMac Pro wallpaper
  • Adds support for external graphics processors (eGPUs)
  • Fixes graphics corruption issues affecting certain apps on iMac Pro
  • Allows jumping to the rightmost open tab using Command-9 in Safari
  • Enables sorting of Safari bookmarks by name or URL by Control-clicking and choosing Sort By
  • Fixes an issue that may prevent web link previews from appearing in Messages
  • Helps protect privacy by only AutoFilling usernames and passwords after selecting them in a web form field in Safari
  • Displays warnings in the Safari Smart Search field when interacting with password or credit card forms on unencrypted webpages
  • Displays the new Privacy icons and links to explain how your data will be used and protected when Apple features ask to use your personal information

Visit Apple’s website to find out what’s new in macOS High Sierra.

macOS High Sierra 10.13.4 enterprise content

The macOS High Sierra 10.13.4 update also includes the following enterprise content:

  • Improves performance when using credentials stored in the keychain to access SharePoint websites that use NTLM authentication
  • Resolves an issue that prevented Mac App Store and other processes invoked by Launch Daemons from working on networks that use proxy information defined in a PAC file
  • If you change your Active Directory user password outside of Users & Groups preferences, the new password can now be used to unlock your FileVault volume (previously, only the old password would unlock the volume)
  • Improves compatibility with SMB home directories when the share point contains a dollar sign in its name

macOS High Sierra 10.13.4 security fixes

macOS High Sierra 10.13.4 fixes the following vulnerabilities:

Admin Framework

  • Available for: macOS High Sierra 10.13.3
  • Impact: Passwords supplied to sysadminctl may be exposed to other local users
  • Description: The sysadminctl command-line tool required that passwords be passed to it in its arguments, potentially exposing the passwords to other local users. This update makes the password parameter optional and sysadminctl will prompt for the password if needed.
  • CVE-2018-4170: an anonymous researcher

APFS

  • Available for: macOS High Sierra 10.13.3
  • Impact: An APFS volume password may be unexpectedly truncated
  • Description: An injection issue was addressed through improved input validation
  • CVE-2018-4105: David J Beitey (@davidjb_), Geoffrey Bugniot

ATS

  • Available for: OS X El Capitan 10.11.6, macOS Sierra 10.12.6 and macOS High Sierra 10.13.3
  • Impact: Processing a maliciously crafted file might disclose user information
  • Description: A validation issue existed in the handling of symlinks. This issue was addressed through improved validation of symlinks.
  • CVE-2018-4112: Haik Aftandilian of Mozilla

CFNetwork Session

  • Available for: OS X El Capitan 10.11.6 and macOS Sierra 10.12.6
  • Impact: An application may be able to gain elevated privileges
  • Description: A race condition was addressed with additional validation
  • CVE-2018-4166: Samuel Groß (@5aelo)

CoreFoundation

  • Available for: OS X El Capitan 10.11.6, macOS Sierra 10.12.6 and macOS High Sierra 10.13.3
  • Impact: An application may be able to gain elevated privileges
  • Description: A race condition was addressed with additional validation
  • CVE-2018-4155: Samuel Groß (@5aelo)
  • CVE-2018-4158: Samuel Groß (@5aelo)

CoreText

  • Available for: macOS High Sierra 10.13.3
  • Impact: Processing a maliciously crafted string may lead to a denial of service
  • Description: A denial of service issue was addressed through improved memory handling
  • CVE-2018-4142: Robin Leroy of Google Switzerland GmbH

CoreTypes

  • Available for: OS X El Capitan 10.11.6 and macOS Sierra 10.12.6
  • Impact: Processing a maliciously crafted webpage may result in the mounting of a disk image
  • Description: A logic issue was addressed with improved restrictions
  • CVE-2017-13890: Apple, Theodor Ragnar Gislason of Syndis

curl

  • Available for: OS X El Capitan 10.11.6 and macOS Sierra 10.12.6
  • Impact: Multiple issues in curl
  • Description: An integer overflow existed in curl. This issue was addressed through improved bounds checking.
  • CVE-2017-8816: Alex Nichols

Disk Images

  • Available for: OS X El Capitan 10.11.6, macOS Sierra 10.12.6 and macOS High Sierra 10.13.3
  • Impact: Mounting a malicious disk image may result in the launching of an application
  • Description: A logic issue was addressed with improved validation
  • CVE-2018-4176: Theodor Ragnar Gislason of Syndis

Disk Management

  • Available for: macOS High Sierra 10.13.3
  • Impact: An APFS volume password may be unexpectedly truncated
  • Description: An injection issue was addressed through improved input validation
  • CVE-2018-4108: Kamatham Chaitanya of ShiftLeft Inc., an anonymous researcher

File System Events

  • Available for: macOS High Sierra 10.13.3
  • Impact: An application may be able to gain elevated privileges
  • Description: A race condition was addressed with additional validation
  • CVE-2018-4167: Samuel Groß (@5aelo)

iCloud Drive

  • Available for: OS X El Capitan 10.11.6, macOS Sierra 10.12.6 and macOS High Sierra 10.13.3
  • Impact: An application may be able to gain elevated privileges
  • Description: A race condition was addressed with additional validation
  • CVE-2018-4151: Samuel Groß (@5aelo)

Intel Graphics Driver

  • Available for: macOS High Sierra 10.13.3
  • Impact: An application may be able to execute arbitrary code with system privileges
  • Description: A memory corruption issue was addressed with improved memory handling
  • CVE-2018-4132: Axis and pjf of IceSword Lab of Qihoo 360

IOFireWireFamily

  • Available for: macOS High Sierra 10.13.3
  • Impact: An application may be able to execute arbitrary code with kernel privileges
  • Description: A memory corruption issue was addressed with improved memory handling
  • CVE-2018-4135: Xiaolong Bai and Min (Spark) Zheng of Alibaba Inc.

Kernel

  • Available for: macOS High Sierra 10.13.3
  • Impact: A malicious application may be able to execute arbitrary code with kernel privileges
  • Description: Multiple memory corruption issues were addressed with improved memory handling
  • CVE-2018-4150: an anonymous researcher

Kernel

  • Available for: OS X El Capitan 10.11.6, macOS Sierra 10.12.6 and macOS High Sierra 10.13.3
  • Impact: An application may be able to read restricted memory
  • Description: A validation issue was addressed with improved input sanitization
  • CVE-2018-4104: The UK’s National Cyber Security Centre (NCSC)

Kernel

  • Available for: macOS High Sierra 10.13.3
  • Impact: An application may be able to execute arbitrary code with kernel privileges
  • Description: A memory corruption issue was addressed with improved memory handling
  • CVE-2018-4143: derrek (@derrekr6)

Kernel

  • Available for: OS X El Capitan 10.11.6, macOS Sierra 10.12.6 and macOS High Sierra 10.13.3
  • Impact: An application may be able to execute arbitrary code with kernel privileges
  • Description: An out-of-bounds read was addressed through improved bounds checking
  • CVE-2018-4136: Jonas Jensen of lgtm.com and Semmle

Kernel

  • Available for: macOS High Sierra 10.13.3
  • Impact: An application may be able to execute arbitrary code with system privileges
  • Description: An out-of-bounds read was addressed through improved bounds checking
  • CVE-2018-4160: Jonas Jensen of lgtm.com and Semmle

kext tools

  • Available for: OS X El Capitan 10.11.6, macOS Sierra 10.12.6 and macOS High Sierra 10.13.3
  • Impact: An application may be able to execute arbitrary code with system privileges
  • Description: A logic issue existed resulting in memory corruption. This was addressed with improved state management.
  • CVE-2018-4139: Ian Beer of Google Project Zero

LaunchServices

  • Available for: OS X El Capitan 10.11.6, macOS Sierra 10.12.6 and macOS High Sierra 10.13.3
  • Impact: A maliciously crafted application may be able to bypass code signing enforcement
  • Description: A logic issue was addressed with improved validation
  • CVE-2018-4175: Theodor Ragnar Gislason of Syndis

Mail

  • Available for: macOS High Sierra 10.13.3
  • Impact: An attacker in a privileged network position may be able to exfiltrate the contents of S/MIME-encrypted e-mail
  • Description: An issue existed in the handling of S/MIME HTML e-mail. This issue was addressed by not loading remote resources on S/MIME encrypted messages by default if the message has an invalid or missing S/MIME signature.
  • CVE-2018-4111: an anonymous researcher

Mail

  • Available for: macOS High Sierra 10.13.3
  • Impact: An attacker in a privileged network position may be able to intercept the contents of S/MIME-encrypted e-mail
  • Description: An inconsistent user interface issue was addressed with improved state management
  • CVE-2018-4174: an anonymous researcher, an anonymous researcher

Notes

  • Available for: macOS High Sierra 10.13.3
  • Impact: An application may be able to gain elevated privileges
  • Description: A race condition was addressed with additional validation
  • CVE-2018-4152: Samuel Groß (@5aelo)

NSURLSession

  • Available for: macOS High Sierra 10.13.3
  • Impact: An application may be able to gain elevated privileges
  • Description: A race condition was addressed with additional validation
  • CVE-2018-4166: Samuel Groß (@5aelo)

NVIDIA Graphics Drivers

  • Available for: macOS High Sierra 10.13.3
  • Impact: An application may be able to read restricted memory
  • Description: A validation issue was addressed with improved input sanitization
  • CVE-2018-4138: Axis and pjf of IceSword Lab of Qihoo 360

PDFKit

  • Available for: macOS High Sierra 10.13.3
  • Impact: Clicking a URL in a PDF may visit a malicious website
  • Description: An issue existed in the parsing of URLs in PDFs. This issue was addressed through improved input validation.
  • CVE-2018-4107: an anonymous researcher

PluginKit

  • Available for: OS X El Capitan 10.11.6, macOS Sierra 10.12.6 and macOS High Sierra 10.13.3
  • Impact: An application may be able to gain elevated privileges
  • Description: A race condition was addressed with additional validation
  • CVE-2018-4156: Samuel Groß (@5aelo)

Quick Look

  • Available for: macOS High Sierra 10.13.3
  • Impact: An application may be able to gain elevated privileges
  • Description: A race condition was addressed with additional validation
  • CVE-2018-4157: Samuel Groß (@5aelo)

Security

  • Available for: OS X El Capitan 10.11.6, macOS Sierra 10.12.6 and macOS High Sierra 10.13.3
  • Impact: A malicious application may be able to elevate privileges
  • Description: A buffer overflow was addressed with improved size validation
  • CVE-2018-4144: Abraham Masri (@cheesecakeufo)

Storage

  • Available for: OS X El Capitan 10.11.6, macOS Sierra 10.12.6 and macOS High Sierra 10.13.3
  • Impact: An application may be able to gain elevated privileges
  • Description: A race condition was addressed with additional validation
  • CVE-2018-4154: Samuel Groß (@5aelo)

System Preferences

  • Available for: macOS High Sierra 10.13.3
  • Impact: A configuration profile may incorrectly remain in effect after removal
  • Description: An issue existed in CFPreferences. This issue was addressed through improved preferences cleanup.
  • CVE-2018-4115: Johann Thalakada, Vladimir Zubkov, and Matt Vlasach of Wandera

Terminal

  • Available for: OS X El Capitan 10.11.6, macOS Sierra 10.12.6 and macOS High Sierra 10.13.3
  • Impact: Pasting malicious content may lead to arbitrary command execution spoofing
  • Description: A command injection issue existed in the handling of Bracketed Paste Mode. This issue was addressed through improved validation of special characters.
  • CVE-2018-4106: Simon Hosie

WindowServer

  • Available for: macOS High Sierra 10.13.3
  • Impact: An unprivileged application may be able to log keystrokes entered into other applications even when secure input modeis enabled
  • Description: By scanning key states, an unprivileged application could log keystrokes entered into other applications even when secure input mode was enabled. This issue was addressed by improved state management.
  • CVE-2018-4131: Andreas Hegenberg of folivora.AI GmbH

These fixes are available for macOS Sierra and macOS El Capitan as standalone Security Update 2018-002 Sierra and Security Update 2018-002 El Capitan downloads.

For detailed info on the security content of macOS High Sierra 10.13.4, read this support document. For more on security updates for all Apple software, visit the official website.

Some features may not be available for all countries or all areas.

For details, visit Apple’s official macOS Feature Availability webpage.

Tags Apple Bug Chat Fix GPU IM Issue