Apple Inc. has issued a security update for macOS High Sierra that patches a severe vulnerability identified in September that allows unsigned apps to capture plain-text passwords from the Mac keychain.

The High Sierra 10.13 Supplemental Update actually fixes two security issues, the previously discovered security issue in the Mac keychain as well as a newly identified vulnerability that allows passwords to be accessed via the Apple File System, also known as APFS.

The new vulnerability is described by Apple as a bug that may allow local attackers to “gain access to an encrypted APFS volume.” Should they be successful, they could obtain password information if a “hint was set in Disk Utility when creating an APFS encrypted volume.” In plain English, that means that for some wacky reason — likely bad coding — the actual password was stored as the password hint.

Describing the new vulnerability as “facepalming,” the security team at Sophos detailed in a blog post Thursday just how easy it is to access a password through a process that involves the High Sierra version of Disk Utility. “A bad look for Apple, letting a buggy system utility like that into a production release … but a creditable response by Apple in getting a fix out quickly,” Sophos added.

Mac users who have installed High Sierra are encouraged to install the update as soon as possible. To run the update, users should launch the App Store and click on the updates icon. When the update appears as a listing, click on the update button for it on the right. The installation takes two to three minutes to install and requires a restart to complete.

Image: Apple