Apple issues macOS High Sierra update to fix password-less root vulnerability

2

Comments

  • Reply 21 of 56
    update isn't showing up in the App Store.
  • Reply 22 of 56
    macxpressmacxpress Posts: 5,001member
    mac_dog said:
    update isn't showing up in the App Store.
    Are you running macOS 10.13? If you're running the beta of 10.13.2, it probably won't show up. The patch is not for 10.13.2, its for 10.13.1. 

    On a side note...when you just say the update isn't showing up thats not helpful. You need to say what you're running and any other specifics that could help someone help you. That way, I don't have to ask the question above. Thats like someone posting a helpdesk ticket saying there's a computer broken in the lab. Thanks! There's 30 computers in the lab and you didn't specify what one, what didn't work, etc. 
    edited November 2017
  • Reply 23 of 56
    djsherlydjsherly Posts: 1,022member
    felix01 said:
    Things have gotten to a sad state in the Apple Software Group when people finding bugs are saying screw the traditional 24 or 48 hour early warning before going public, Apple will just fart around and take their sweet time and/or just flat lie that they know nothing about it. Now the new norm is to publish the bug far and wide and encourage every media outlet to pick it up. Apparently the feeling is that Apple now only moves out quickly (with a fix) when publicly embarrassed instead of doing it because hundreds of thousands of their users could be harmed.
    Once doesn't make a new normal - it's just as likely the originator was simply ignorant of disclosure best practice.

    Well done Apple for patching so quickly - the vuln was there on my install.
    equality72521
  • Reply 24 of 56
    oldenboomoldenboom Posts: 4unconfirmed, member
    MacPro said:
    That was fast!  Well done Apple.
    No, it was not. Apple refuses to read their own users forums. If they would have read them, they'd known about this severe bug at least two weeks ago, as you can read here: https://forums.developer.apple.com/thread/79235 Just browse to november 13th, and read the post written by chethan177. Their excuse that they only got to know about this issue this Tuesday afternoon is just lame IMHO.
    edited November 2017 techriderDavidAlGregorywilliamlondon
  • Reply 25 of 56
    Rayz2016Rayz2016 Posts: 4,784member
    oldenboom said:
    MacPro said:
    That was fast!  Well done Apple.
    No, it was not. Apple refuses to read their own users forums. If they would have read them, they'd known about this severe bug at least two weeks ago, as you can read here: https://forums.developer.apple.com/thread/79235 Just browse to november 13th, and read the post written by chethan177. Their excuse that they only got to know about this issue this Tuesday afternoon is just lame IMHO.

    If the problem wasn’t submitted as a bug report then I’m not surprised they didn’t know about it. That’s how this stuff is usually done, rather than having engineers watching forums all day long looking for problems. 
    magman1979jahbladeequality72521williamlondonMartin57
  • Reply 26 of 56
    asdasdasdasd Posts: 5,330member
    Rayz2016 said:
    oldenboom said:
    MacPro said:
    That was fast!  Well done Apple.
    No, it was not. Apple refuses to read their own users forums. If they would have read them, they'd known about this severe bug at least two weeks ago, as you can read here: https://forums.developer.apple.com/thread/79235 Just browse to november 13th, and read the post written by chethan177. Their excuse that they only got to know about this issue this Tuesday afternoon is just lame IMHO.

    If the problem wasn’t submitted as a bug report then I’m not surprised they didn’t know about it. That’s how this stuff is usually done, rather than having engineers watching forums all day long looking for problems. 
    Watching developer forums is in fact part of the job description of some engineers. And if they aren’t watched - they should be. So should some external forums. 
    williamlondongatorguy
  • Reply 27 of 56
    MacPro said:
    That was fast!  Well done Apple.
    That should have been caught before the first developer beta. Who audits Apple SW for security?
    williamlondon
  • Reply 28 of 56
    slurpy said:
    Pretty stunning turnaround time for a company worth almost a trillion dollars with hundreds of millions of users. 


    What is stunning is how a company with such resources missed this.
    williamlondon
  • Reply 29 of 56
    Question... after the patch to close the vulnerability is applied, and going forward... should the steps, in https://support.apple.com/en-us/HT204012, to change the root user's password always be followed each time you setup a new Mac - like as a best practice?  Or is that unneccesary?  

    At the end of Apple's Security Update page (https://support.apple.com/en-us/HT208315), it states "If you require the root user account on your Mac, you will need to re-enable the root user and change the root user's password after this update."

    I'm not clear on if the only thing that's been fixed by the security update is that the root account has been disabled again by default, or if the password has also been set to some internal-to-Apple secret.  

    Considering that it's traditionally a best practice of change the admin or root password of any computer OS, router, etc. during initial setup, the article read like it's telling customers and Enterprises to always change this password, or detailing the consequences of changing / not changing it during initial setup.
  • Reply 30 of 56
    foggyhillfoggyhill Posts: 4,767member
    techrider said:
    Question... after the patch to close the vulnerability is applied, and going forward... should the steps, in https://support.apple.com/en-us/HT204012, to change the root user's password always be followed each time you setup a new Mac - like as a best practice?  Or is that unneccesary?  

    At the end of Apple's Security Update page (https://support.apple.com/en-us/HT208315), it states "If you require the root user account on your Mac, you will need to re-enable the root user and change the root user's password after this update."

    I'm not clear on if the only thing that's been fixed by the security update is that the root account has been disabled again by default, or if the password has also been set to some internal-to-Apple secret.  

    Considering that it's traditionally a best practice of change the admin or root password of any computer OS, router, etc. during initial setup, the article read like it's telling customers and Enterprises to always change this password, or detailing the consequences of changing / not changing it during initial setup.
    Anyone not changing a default root/admin password is asking for troubles, not sure why anyone would not do that as its been a standard practice for 30 years (at least in my circle).
  • Reply 31 of 56
    foggyhillfoggyhill Posts: 4,767member
    slurpy said:
    Pretty stunning turnaround time for a company worth almost a trillion dollars with hundreds of millions of users. 


    What is stunning is how a company with such resources missed this.
    Its stunning how people just shittalk while not knowing how things work...
    equality72521lkruppwilliamlondon
  • Reply 32 of 56
    techrider said:
    Question... after the patch to close the vulnerability is applied, and going forward... should the steps, in https://support.apple.com/en-us/HT204012, to change the root user's password always be followed each time you setup a new Mac - like as a best practice?  Or is that unneccesary?  

    At the end of Apple's Security Update page (https://support.apple.com/en-us/HT208315), it states "If you require the root user account on your Mac, you will need to re-enable the root user and change the root user's password after this update."

    I'm not clear on if the only thing that's been fixed by the security update is that the root account has been disabled again by default, or if the password has also been set to some internal-to-Apple secret.  

    Considering that it's traditionally a best practice of change the admin or root password of any computer OS, router, etc. during initial setup, the article read like it's telling customers and Enterprises to always change this password, or detailing the consequences of changing / not changing it during initial setup.
    Enabling Root is not one of those best practices in n macOS. Apple suggests using the sudo command in Terminal instead of enabling root.

    https://support.apple.com/en-us/HT204012
  • Reply 33 of 56
    MplsPMplsP Posts: 1,725member
    slurpy said:
    Pretty stunning turnaround time for a company worth almost a trillion dollars with hundreds of millions of users. 


    What is stunning is how a company with such resources missed this.
    Totally agree. The fact that they issued a patch so quickly makes me suspect they did know about it before the general public and were already working on a patch.
    williamlondon
  • Reply 34 of 56
    Has anyone noticed any problems? I've just applied the update to three Macs, and now can't "map" a drive between any of them (Finder, Command-K, Browse, Connect As) - the dialog box just shakes when I enter the credentials (Registered user). This is happening in all permutations between these Macs. I've event restarted all three (and found that it finishes the installation), but still the same. Could be conincidental, but I've never experienced this before.
  • Reply 35 of 56
    foggyhill said:
    slurpy said:
    Pretty stunning turnaround time for a company worth almost a trillion dollars with hundreds of millions of users. 


    What is stunning is how a company with such resources missed this.
    Its stunning how people just shittalk while not knowing how things work...
    Oh, this is a f-up. (The second one with passwords with 10.13.) I don’t update until a few months have gone by, anymore.  
    williamlondon
  • Reply 36 of 56
    lkrupplkrupp Posts: 7,453member
    foggyhill said:
    slurpy said:
    Pretty stunning turnaround time for a company worth almost a trillion dollars with hundreds of millions of users. 


    What is stunning is how a company with such resources missed this.
    Its stunning how people just shittalk while not knowing how things work...
    I wish I could give your comment about 1000 likes. So many experts here telling us how Apple should have handled this, why they should have caught this, how they should have handled it. When this story broke yesterday the experts here couldn’t even agree what was happening, much less explain it properly. They argued about how to temporarily close the hole until a patch was released, accusing each other of being wrong.  We had all manner of shit-talk goin on about something no one knew anything about. And that’s why I never take anonymous expert’s advice for any reason. 
    williamlondonmacxpresssmiffy31welshdog
  • Reply 37 of 56
    lkrupplkrupp Posts: 7,453member
    And it’s over. Everybody got their shots in against Apple, spewed their vitriol and venom, predicted gloom and doom, pontificated till the cows came home. We now return you to our regularly scheduled program of pissing and moaning about something else Apple has or has not done. 
    williamlondonargonautsmiffy31
  • Reply 38 of 56
    dewmedewme Posts: 2,193member
    macxpress said:
    macseeker said:
    Apple knew of the problem 2 weeks ago.  https://forums.developer.apple.com/thread/79235#277225
    Just because it was posted on an Apple forum, doesn't mean Apple knew about this issue. I see no where in the early part of the thread where someone said they notified Apple of the issue. 
    Agreed. Almost every company provides a dedicated address for reporting product security issues. For Apple it is [email protected] Additionally, any product security issue found in any product from any vendor can be reported through US-CERT. User forums are definitely not the best place for reporting security issues. 


  • Reply 39 of 56
    dewmedewme Posts: 2,193member
    Has anyone noticed any problems? I've just applied the update to three Macs, and now can't "map" a drive between any of them (Finder, Command-K, Browse, Connect As) - the dialog box just shakes when I enter the credentials (Registered user). This is happening in all permutations between these Macs. I've event restarted all three (and found that it finishes the installation), but still the same. Could be conincidental, but I've never experienced this before.
    See https://support.apple.com/en-us/HT208315 or https://support.apple.com/en-us/HT208317
    edited November 2017 russwgregpriestley
  • Reply 40 of 56
    This fix breaks file sharing!  Patch to the patch is at  https://support.apple.com/en-us/HT208317

    Hope the patch to the patch doesn't break something else.
Sign In or Register to comment.