Apple issues macOS High Sierra update to fix password-less root vulnerability

Posted:
in macOS edited November 2017
Apple on Wednesday released a special security update for macOS High Sierra, solving a recently uncovered flaw which would let people gain root access without entering a password.




The patch, Security Update 2017-001, should be available through the Updates tab in the Mac App Store. After installation, the build number of High Sierra will be 17B1002.

Apple notes that if people require a root user account on their Mac, they can create one and assign a password through System Preferences.

The vulnerability was first exposed on Tuesday. Within hours, Apple was already promising an update, though it didn't provide an exact timeline.

Apple also issued a statement to The Loop on the misstep:
Security is a top priority for every Apple product, and regrettably we stumbled with this release of macOS.

When our security engineers became aware of the issue Tuesday afternoon, we immediately began working on an update that closes the security hole. This morning, as of 8 a.m., the update is available for download, and starting later today it will be automatically installed on all systems running the latest version (10.13.1) of macOS High Sierra.

We greatly regret this error and we apologize to all Mac users, both for releasing with this vulnerability and for the concern it has caused. Our customers deserve better. We are auditing our development processes to help prevent this from happening again.
«13

Comments

  • Reply 1 of 56
    MacProMacPro Posts: 17,778member
    That was fast!  Well done Apple.
    stanthemanmagman1979racerhomieSoliMartin57
  • Reply 2 of 56
    Unless already baked in, this security update patch is not available if using the current 10.13.2 Beta (17C83a) build.
  • Reply 3 of 56
    Ok to use black as the password user root?
  • Reply 4 of 56
    We greatly regret this error and we apologise to all Mac users, both for releasing with this vulnerability and for the concern it has caused. Our customers deserve better. We are auditing our development processes to help prevent this from happening again.
    Nice to know, Apple. However, with the best will and intentions in the world, this type of security error will occur again.

    The seriousness with which you have audited release iterations these past few years (being the exact opposite approach of best practice from Google and Microsoft) is why I have stayed loyal to the marque.
    racerhomiejony0
  • Reply 5 of 56
    I'm impressed.  I wouldn't have thought it possible to push out of fix to users within (essentially) 24 hours of being notified of the vulnerability.  Perhaps you have to be in IT and have some experience with release management to appreciate how exceptional this type of turnaround is.  More than a people at 1 Infinite Loop and/or Apple Park didn't get any sleep last night.
    equality72521magman1979racerhomiejony0
  • Reply 6 of 56
    Unless already baked in, this security update patch is not available if using the current 10.13.2 Beta (17C83a) build.
    If you're sophisticated enough to be running a beta OS, you (not you specifically of course) should have already fixed the problem by following the instructions to set your root password.
  • Reply 7 of 56
    This was a backdoor for testing that somehow got left in the release code. Really shoddy work by Apple.
    williamlondonDavidAlGregoryjahblade
  • Reply 8 of 56
    grangerfx said:
    This was a backdoor for testing that somehow got left in the release code. Really shoddy work by Apple.
    // I should remove this before compiling. Jake the Intern.
    if ($password=="") $auth_success=true;

    stantheman
  • Reply 9 of 56
    lkrupplkrupp Posts: 6,530member
    grangerfx said:
    This was a backdoor for testing that somehow got left in the release code. Really shoddy work by Apple.
    Blathering idiocy.
    williamlondonmacplusplush2pmwhiteDavidAlGregorymagman1979racerhomiejony0Martin57
  • Reply 10 of 56
    Apple knew of the problem 2 weeks ago.  https://forums.developer.apple.com/thread/79235#277225
    stevenozkarskdysamorialiketheskyDavidAlGregory
  • Reply 11 of 56
    Looks like the servers are being hammered, the update progress dials on my two machines just keep spinning (and have been for several minutes).
  • Reply 12 of 56
    But what about diversity? There are many cultures that don’t have a concept of passwords. How do you keep them happy?
    monstrosityelijahgDavidAlGregory
  • Reply 13 of 56
    slurpyslurpy Posts: 5,062member
    Pretty stunning turnaround time for a company worth almost a trillion dollars with hundreds of millions of users. 


    magman1979
  • Reply 14 of 56
    macxpressmacxpress Posts: 4,641member
    macseeker said:
    Apple knew of the problem 2 weeks ago.  https://forums.developer.apple.com/thread/79235#277225
    Just because it was posted on an Apple forum, doesn't mean Apple knew about this issue. I see no where in the early part of the thread where someone said they notified Apple of the issue. 
    dysamoriawilliamlondonmagman1979jahbladeracerhomie
  • Reply 15 of 56
    dysamoriadysamoria Posts: 1,859member
    But what about diversity? There are many cultures that don’t have a concept of passwords. How do you keep them happy?
    Someone needs to properly learn the concept of diversity. 
    montrosemacs
  • Reply 16 of 56
    tipootipoo Posts: 975member
    Looks like this was known about two weeks ago. Only having a 'drop everything and fix shit' patch 24 hours later is just from the point of mass media coverage forming a critical mass, which seems endemic of Apple fixes right now. 

    https://forums.developer.apple.com/thread/79235


    I hope their audit brings about good change. Their QC seems whack of late. I don't care if it's longer between OS releases, I want them stable, secure, and high performance.
    h2pwilliamlondon
  • Reply 17 of 56
    dysamoriadysamoria Posts: 1,859member
    Apple doesn't need to audit their development process. Their users who care about attention to detail have already done that for them. We have found that Apple is releasing new versions too effing rapidly.
  • Reply 18 of 56
    I'm impressed.  I wouldn't have thought it possible to push out of fix to users within (essentially) 24 hours of being notified of the vulnerability.  Perhaps you have to be in IT and have some experience with release management to appreciate how exceptional this type of turnaround is.  More than a people at 1 Infinite Loop and/or Apple Park didn't get any sleep last night.
    They probably have shortcuts (manual overrides) in all parts of their development/release pipelines to allow that.
  • Reply 19 of 56
    Finally got in, now showing 10.13.1, Build 17B1002.
  • Reply 20 of 56
    Things have gotten to a sad state in the Apple Software Group when people finding bugs are saying screw the traditional 24 or 48 hour early warning before going public, Apple will just fart around and take their sweet time and/or just flat lie that they know nothing about it. Now the new norm is to publish the bug far and wide and encourage every media outlet to pick it up. Apparently the feeling is that Apple now only moves out quickly (with a fix) when publicly embarrassed instead of doing it because hundreds of thousands of their users could be harmed.
    williamlondon
Sign In or Register to comment.