Updating to latest macOS 10.13.1 disables Apple's 'root' bug patch

Posted:
in macOS edited December 2017
It appears Apple's quick fix for the recently discovered root user bug can be disabled by upgrading to macOS 10.13.1 from a previous version of the operating system, meaning users who do so are unwittingly reintroducing the glaring security hole.




According to a Wired report on Friday, multiple users have confirmed that upgrading from macOS 10.13.0 High Sierra to the latest version 10.13.1, released at the end of October, defeats Apple's security patch for the root user login flaw.

In particular, users running macOS 10.13.0 who downloaded and installed the security update released on Wednesday say the root bug reappears after upgrading to macOS 10.13.1.

Making matters worse, two people who attempted to reinstall Apple's fix after upgrading to macOS 10.13.1 say the root login bug persists until the system is rebooted. Apple in its documentation does not list rebooting as part of the required installation process.

"I installed the update again from the App Store, and verified that I could still trigger the bug. That is bad, bad, bad," said Thomas Reed, a security researcher at MalwareBytes. "Anyone who hasn't yet updated to 10.13.1, they're now in the pipeline headed straight for this issue."

Reed went on to point out that many Mac owners do not reboot their computer for months at a time, meaning the root flaw could in some cases linger.

Earlier this week researchers publicized a macOS security bug that allows anyone to log in to a Mac running High Sierra as its "root" System Administrator without first requiring a password. Less than a 24 hours later, Apple pushed out Security Update 2017-001 via the Mac App Store, plugging the hole.

The security patch introduced its own problems, however, as users had issues authenticating or connecting to file shares on their Mac. Apple posted a quick Terminal fix to its Support Pages before reissuing the security patch with a permanent solution a few hours later.

While not as damaging as the original root user bug, the glitch in Apple's security patch is unusually sloppy for the Cupertino tech giant. How the two bugs in the security patch slipped past Apple's quality assurance team is unknown.
«1

Comments

  • Reply 1 of 32
    netroxnetrox Posts: 551member
    So, let me get this right... I already updated to 10.13.1 last month so it's not affecting the recent security update, right?
  • Reply 2 of 32
    That's sick.
    edited December 2017 mike54
  • Reply 3 of 32
    Sloppy
    mike54
  • Reply 4 of 32
    So, what's wrong with that? The update and the bug both work as expected. One will install 10.13.1 first, then install Security Update 2017-001 over that, else macOS will already automatically install the security update on 10.13.1. Apple should stick to the released build number and should not distribute the "corrected" one with a different build number: that would create huge confusions among users and support staff. This is how it works in Windows or other software too.
    randominternetpersonracerhomie
  • Reply 5 of 32
    mike54mike54 Posts: 161member
    I don't think Apple has thought this through enough before releasing the quick fix. Seems like a string knee jerk reactions to the bugs which introduces further complications.  Maybe there was no way round this, but now they should release another general MacOS update asap and and incorporate only these two bugs fixes in, not the features planned for 10.13.2 update (this should then become 10.13.3). Maybe they plan to do this already.
  • Reply 6 of 32
    So...Apple is bad for not adding a patch released two days ago into an update released over a month ago? Hmmm...they’re an EVIL company for not adding future patches into their already released updates/upgrades! *sarcasm* I want all of next year’s updates and patches in last month’s update, I tell ya!! hahaha
  • Reply 7 of 32
    So...Apple is bad for not adding a patch released two days ago into an update released over a month ago? Hmmm...they’re an EVIL company for not adding future patches into their already released updates/upgrades! *sarcasm* I want all of next year’s updates and patches in last month’s update, I tell ya!! hahaha
    They could easily require you to install the update before installing the patch.
  • Reply 8 of 32
    SoliSoli Posts: 6,677member
    I agree that it's sloppy. This seems like something very simple to add to this update. The update didn't even require a restart.
  • Reply 9 of 32
    Yawn.

    Some irresponsible scumbag tells the world about a zero-day exploit before telling Apple.  Apple releases a fix for that in less than a day.  A few days later people find obscure ways that the fix can be unfixed.  I have no doubt that Apple has been working on a proper fix all along and they are going to make sure it's fully tested and released properly very soon.  In the meantime, if you are concerned don't let bad guys get their hands on your hardware or take 20 seconds to set a flippin' root password and be completely protected.
    bshank
  • Reply 10 of 32
    SoliSoli Posts: 6,677member
    Yawn.

    Some irresponsible scumbag tells the world about a zero-day exploit before telling Apple.  Apple releases a fix for that in less than a day.  A few days later people find obscure ways that the fix can be unfixed.  I have no doubt that Apple has been working on a proper fix all along and they are going to make sure it's fully tested and released properly very soon.  In the meantime, if you are concerned don't let bad guys get their hands on your hardware or take 20 seconds to set a flippin' root password and be completely protected.
    I believe I read that Apple was aware of the bug two weeks prior to being made public.
    ktappe
  • Reply 11 of 32
    stukestuke Posts: 56member
    Apple, come on!  Get your shit together.  Stop releasing so many new updates so frequently as obvious betas. Pay for good engineering, and maybe Steve can Rest In Peace!
  • Reply 12 of 32
    dr. xdr. x Posts: 143member
    What a joke! Apple does need to get their shit together quickly or else things are going to go down the tubes if it hasn’t already. 

    I know Apple and the Apple I know isn’t like this, so sloppy. 
    edited December 2017
  • Reply 13 of 32
    philboogiephilboogie Posts: 7,387member
    Patch one bug, receive a new one. When is Apple going to release bug-free software?

    Oh, and there is a new time bug as well:
    https://www.reddit.com/r/iphone/comments/7gzntq/psa_iphone_rebootrespring_issues_megathread/


  • Reply 14 of 32
    philboogiephilboogie Posts: 7,387member
    Soli said:
    I believe I read that Apple was aware of the bug two weeks prior to being made public.
    That is correct:
    https://daringfireball.net/2017/11/high_sierra_root_login_two_weeks_ago

    edit: and a link to 'straight from the horse's mouth':
    https://medium.com/@lemiorhan/the-story-behind-anyone-can-login-as-root-tweet-33731b5ded71

    edited December 2017 Solimacplusplus
  • Reply 15 of 32
    SoliSoli Posts: 6,677member
    Patch one bug, receive a new one. When is Apple going to release bug-free software?

    Oh, and there is a new time bug as well:
    https://www.reddit.com/r/iphone/comments/7gzntq/psa_iphone_rebootrespring_issues_megathread/


    I can't image that ever happening. If we could envision some reality where there was no possible new features or need for ever improving security or performance then companies could theoretically just keep making their SW more and more bug free, but even then there would likely be a point where the cost of rooting out and fixing even the most minor bugs becomes too costly to even bother. We can look at defunct apps and/or tech companies to see how that may go.

    But date and time-related bugs just seem weird.
    edited December 2017 StrangeDays
  • Reply 16 of 32
    Speed1050Speed1050 Posts: 8unconfirmed, member
    Great story, must read again. I like this line though: Reed went on to point out that many Mac owners do not reboot their computer for months at a time...

    High Sierra. I can’t get through a day without at least one forced reboot following some kernel panic.

    A month... I wish. 
  • Reply 17 of 32
    philboogiephilboogie Posts: 7,387member
    Soli said:
    When is Apple going to release bug-free software?

    I can't image that ever happening.
    Me neither, I was being over the top, so to speak. But I do think they need to do a better job in the QA dept (or wherever). I understand that while Date & Time seems easy, allegedly it's not. But there have been so many problems, for so many companies to get Date & Time right...I wouldn't hold my breath for these bugs to become a thing of the past.

    Leap-year bug

    https://discussions.apple.com/thread/1335457?start=0&tstart=0

    Zune chokes on leap-year bug

    https://www.macworld.com/article/1137846/zunebug.html

    Yes, Microsoft Azure Was Downed By Leap-Year Bug

    https://www.wired.com/2012/03/azure-leap-year-bug/

    Apple promises a fix for iPhone bricking stemming from date and time bug

    http://www.idownloadblog.com/2016/02/15/apple-fix-iphone-bricking-date-time-bug/

    iCloud time zone bug / Calendar mismatch with PC time zone

    https://discussions.apple.com/thread/3409043?start=30&tstart=0


    Soli
  • Reply 18 of 32
    Something fishy here swims

    ~Yoda
  • Reply 19 of 32
    How long can it take to have a class lawsuit against Apple for permanently staying on a current (working) iOS release ?
    edited December 2017 dysamoria
  • Reply 20 of 32
    Bacillus3 said:
    How long can it take to have a class lawsuit against Apple for permanently staying on a current (working) iOS release ?
    What??
Sign In or Register to comment.