Apple has posted the annual full overhaul of the Mac operating system , this time focusing on a redesign of the look and feel of the interface . The 10.14 incarnation of macOS , known as Mojave , has been released Vulnerability-related.PatchVulnerability into general availability . It includes new features , interface updates , and security patches – though at least one hole was left unpatched Vulnerability-related.PatchVulnerability . Apple is touting a set of interface improvements with the update , most notably the addition of a `` Dark Mode '' color scheme option and a Dynamic Desktop background that changes the image with the time of day . In more useful features , there 's the Stacks utility that organizes messy desktops by grouping files into categories . Apple also added a set of new News , Stocks , Voice Memos , and Home applications for macOS , porting the tools from iOS , while the Mac Continuity Camera app will let users snap and share pictures from their iOS device . Apple also redesigned the macOS version of the App Store service . Nestled into the Mojave update was a patch bundle that addresses Vulnerability-related.PatchVulnerability more than a half-dozen security holes . Mojave will include fixes for eight CVE-listed vulnerabilities . These include two remote code execution flaws in the kernel ( CVE-2018-4336 , CVE-2018-4344 ) and weak RC4 encryption ( CVE-2016-1777 ) . That '4344 flaw was discovered Vulnerability-related.DiscoverVulnerability by eggheads at the UK government 's eavesdropping nerve center , GCHQ . Other flaws include a traffic intercept flaw in Bluetooth ( CVE-2018-5383 ) , a sandbox escape in the operation firewall ( CVE-2018-4353 ) , a restricted memory access flaw in Crash Reporter ( CVE-2018-4333 ) , and flaws in both Auto Unlock ( CVE-2018-4321 ) and App Store ( CVE-2018-4324 ) that would allow an attacker to access the user 's Apple ID . Seemingly , these patches are only available Vulnerability-related.PatchVulnerability for macOS 10.14 – however , previous versions of the operating system were fixed Vulnerability-related.PatchVulnerability up last week . It did n't take long for at least one researcher to blast holes in the security features of the new operating system . Shortly after Mojave arrived , macOS guru Patrick Wardle dropped word of a vulnerability he discovered Vulnerability-related.DiscoverVulnerability that would allow an attacker to bypass the privacy safeguards in Mojave that would normally prevent an unauthorized app from accessing things like users ' contact details . Here 's a video of the exploit ... Wardle said Vulnerability-related.DiscoverVulnerability he has reported Vulnerability-related.DiscoverVulnerability the bug to Apple , but will not release details beyond the proof-of-concept video until a fix can be released Vulnerability-related.PatchVulnerability . More technical details are due to be released in November .

Ormandy has reported Vulnerability-related.DiscoverVulnerability several critical security flaws in the password manager during the past week , and this weekend he has managed to discover Vulnerability-related.DiscoverVulnerability a new one . “ I had an epiphany in the shower this morning and realized how to get codeexec in LastPass 4.1.43 . Full report and exploit on the way , ” he stated in his tweet . Ah-ha , I had an epiphany in the shower this morning and realized how to get codeexec in LastPass 4.1.43. pic.twitter.com/vQn20D9VCy — Tavis Ormandy ( @ taviso ) March 25 , 2017 This member of Google ’ s Project Zero security team is already well known for his abilities to locate and report Vulnerability-related.DiscoverVulnerability serious vulnerabilities in many widely used services , and even in the password manager that was supposed to be safe . The comment from LastPass states that the flaw is “ unique and highly sophisticated ” . So far , they have not shared any details that could be exploited Vulnerability-related.DiscoverVulnerability before fixing Vulnerability-related.PatchVulnerability is complete , but this is the second weekend in a row that LastPass security team is on a bug fixing Vulnerability-related.PatchVulnerability duty . They thanked Tavis and others like him for reporting Vulnerability-related.DiscoverVulnerability these sort of problems and helping them make online security even better for the rest of their users . Not everyone was happy about Ormandy ’ s newest twitter news . Some even called him on sharing Vulnerability-related.DiscoverVulnerability the news about the latest bug problem , believing that his actions only cause fear and uncertainty . What they fail to realize Vulnerability-related.DiscoverVulnerability is that all services have to face vulnerabilities from time to time , and all of them get patched up Vulnerability-related.PatchVulnerability as soon as they are discovered Vulnerability-related.DiscoverVulnerability . Most if not all online services have had their fair share Vulnerability-related.DiscoverVulnerability of security issues , and most of them managed to get discovered Vulnerability-related.DiscoverVulnerability and fixed Vulnerability-related.PatchVulnerability by people like Ormandy .

LastPass engineers have Google researcher Tavis Ormandy to thank yet again for another busy few days after the British white hat found Vulnerability-related.DiscoverVulnerability a second critical bug in the password manager . Ormandy tweeted over the weekend that he began ‘ working ’ on the research in an unusual location : “ Ah-ha , I had an epiphany in the shower this morning and realized how to get codeexec in LastPass 4.1.43 . Full report and exploit on the way. ” On Monday , LastPass responded by explaining that the Google Project Zero man had reported Vulnerability-related.DiscoverVulnerability a new client-side vulnerability in its browser extension . “ We are now actively addressing Vulnerability-related.PatchVulnerability the vulnerability . This attack is unique and highly sophisticated , ” it added . “ We don ’ t want to disclose Vulnerability-related.DiscoverVulnerability anything specific about the vulnerability or our fix that could reveal anything to less sophisticated but nefarious parties . So you can expect a more detailed post mortem once this work is complete. ” The firm offered a few steps that users could take to protect themselves from client-side security issues . These include : launching sites directly from the LastPass vault ; switching on two-factor authentication for any site that offers it ; and to be constantly on the lookout for phishing attacks Attack.Phishing . It ’ s the second vulnerability in a week that Ormandy has reported Vulnerability-related.DiscoverVulnerability to LastPass . Last week , the password manager firm was forced to fix Vulnerability-related.PatchVulnerability a critical zero day that would have allowed remote code execution , enabling an attacker to steal users ’ passwords . The prolific Ormandy also helped to make the firm more secure last year when he found Vulnerability-related.DiscoverVulnerability “ a bunch of obvious critical problems ” in the service . Yet he has also publicly appeared to query the logic of using an online service which , if breached , could give up its customers ’ passwords . One Twitter follower claimed at the time : “ I 'm perplexed anyone uses an online service to store passwords. ” Ormandy responded : “ Yeah , me too . ”