Apple issues macOS High Sierra update to fix password-less root vulnerability

13»

Comments

  • Reply 41 of 55
    danvmdanvm Posts: 1,400member
    lkrupp said:
    And it’s over. Everybody got their shots in against Apple, spewed their vitriol and venom, predicted gloom and doom, pontificated till the cows came home. We now return you to our regularly scheduled program of pissing and moaning about something else Apple has or has not done. 
    Looks like isn't over.  The fix breaks file sharing. 
    https://support.apple.com/en-us/HT208317

    So you still have one more thing to do.  Looks like "It Just Works" doesn't exist anymore.  
    williamlondon
  • Reply 42 of 55
    kevin keekevin kee Posts: 1,289member
    danvm said:
    lkrupp said:
    And it’s over. Everybody got their shots in against Apple, spewed their vitriol and venom, predicted gloom and doom, pontificated till the cows came home. We now return you to our regularly scheduled program of pissing and moaning about something else Apple has or has not done. 
    Looks like isn't over.  The fix breaks file sharing. 
    https://support.apple.com/en-us/HT208317

    So you still have one more thing to do.  Looks like "It Just Works" doesn't exist anymore.  
    Overstated. This didn't breaks everyone's file sharing.
    racerhomiewilliamlondon
  • Reply 43 of 55
    Rayz2016Rayz2016 Posts: 6,957member
    asdasd said:
    Rayz2016 said:
    oldenboom said:
    MacPro said:
    That was fast!  Well done Apple.
    No, it was not. Apple refuses to read their own users forums. If they would have read them, they'd known about this severe bug at least two weeks ago, as you can read here: https://forums.developer.apple.com/thread/79235 Just browse to november 13th, and read the post written by chethan177. Their excuse that they only got to know about this issue this Tuesday afternoon is just lame IMHO.

    If the problem wasn’t submitted as a bug report then I’m not surprised they didn’t know about it. That’s how this stuff is usually done, rather than having engineers watching forums all day long looking for problems. 
    Watching developer forums is in fact part of the job description of some engineers. And if they aren’t watched - they should be. So should some external forums. 
    No they shouldn’t. Watching forums is a waste of any engineer’s time because you can spend days following a stream of consciousness that leads nowhere, or thousands of posts posted by trolls that aren’t even true. Do you think Apple can find anything useful watching MacForums?

    If you have a problem, file a bug report. 

    edited November 2017 racerhomiewilliamlondonlkrupp
  • Reply 44 of 55
    Rayz2016Rayz2016 Posts: 6,957member

    MplsP said:
    slurpy said:
    Pretty stunning turnaround time for a company worth almost a trillion dollars with hundreds of millions of users. 


    What is stunning is how a company with such resources missed this.
    Totally agree. The fact that they issued a patch so quickly makes me suspect they did know about it before the general public and were already working on a patch.
    And the fact that the fix introduced another problem tells me that they didn’t. I knew that turning around something this fast would cause problems elsewhere, and so did Apple. They also knew that the original security hole was so severe that a quick fix was worth the risk. 
    edited November 2017 lkrupp
  • Reply 45 of 55
    Rayz2016Rayz2016 Posts: 6,957member

    slurpy said:
    Pretty stunning turnaround time for a company worth almost a trillion dollars with hundreds of millions of users. 


    What is stunning is how a company with such resources missed this.
    What is stunning is that you think this is a resource problem. 
    racerhomiewilliamlondon
  • Reply 46 of 55
    Rayz2016Rayz2016 Posts: 6,957member
    This, from Apple:

    Security is a top priority for every Apple product, and regrettably we stumbled with this release of macOS.

    When our security engineers became aware of the issue Tuesday afternoon, we immediately began working on an update that closes the security hole. This morning, as of 8:00 a.m., the update is available for download, and starting later today it will be automatically installed on all systems running the latest version (10.13.1) of macOS High Sierra.

    We greatly regret this error and we apologize to all Mac users, both for releasing with this vulnerability and for the concern it has caused. Our customers deserve better. We are auditing our development processes to help prevent this from happening again.

    https://daringfireball.net/

    http://www.bbc.co.uk/news/technology-42174168

    As others have pointed out, posting on a forum is not good enough. You need to file a bug report. And the fella who was criticised for not flowing disclosure practises seems to think “it’s not my job” is an excuse. 

    More importantly, it’s good that Apple is looking at its development process. That’s what I wanted to hear. 

    edited November 2017 racerhomielkrupp
  • Reply 47 of 55
    Hey, people make mistakes.  Even if it was discovered a week ago, this patch was executed quickly.  In reality, which I try to visit once or twice a day, the greatest security exposure occurs when the mass media reports the bug.  Apple managed an automatic fix within ~24 hours of the story breaking.  Stunning.  This near Trillion dollar company responded like a new startup.  That’s remarkable and informative.  Steve’s “World’s biggest startup” still is.


    Rayz2016williamlondon
  • Reply 48 of 55
    Rayz2016Rayz2016 Posts: 6,957member
    kamilton said:
    Hey, people make mistakes.  Even if it was discovered a week ago, this patch was executed quickly.  In reality, which I try to visit once or twice a day, the greatest security exposure occurs when the mass media reports the bug.  Apple managed an automatic fix within ~24 hours of the story breaking.  Stunning.  This near Trillion dollar company responded like a new startup.  That’s remarkable and informative.  Steve’s “World’s biggest startup” still is.


    Well, yes, that’s a good point I suppose. 
  • Reply 49 of 55
    croprcropr Posts: 1,122member
    I'm impressed.  I wouldn't have thought it possible to push out of fix to users within (essentially) 24 hours of being notified of the vulnerability.  Perhaps you have to be in IT and have some experience with release management to appreciate how exceptional this type of turnaround is.  More than a people at 1 Infinite Loop and/or Apple Park didn't get any sleep last night.
    Actually the issue was raised on the Apple support forum on 13th of November.   So it took Apple more than 2 weeks to react.  Not impressive at all
    williamlondon
  • Reply 50 of 55
    asdasdasdasd Posts: 5,686member
    Rayz2016 said:
    asdasd said:
    Rayz2016 said:
    oldenboom said:
    MacPro said:
    That was fast!  Well done Apple.
    No, it was not. Apple refuses to read their own users forums. If they would have read them, they'd known about this severe bug at least two weeks ago, as you can read here: https://forums.developer.apple.com/thread/79235 Just browse to november 13th, and read the post written by chethan177. Their excuse that they only got to know about this issue this Tuesday afternoon is just lame IMHO.

    If the problem wasn’t submitted as a bug report then I’m not surprised they didn’t know about it. That’s how this stuff is usually done, rather than having engineers watching forums all day long looking for problems. 
    Watching developer forums is in fact part of the job description of some engineers. And if they aren’t watched - they should be. So should some external forums. 
    No they shouldn’t. Watching forums is a waste of any engineer’s time because you can spend days following a stream of consciousness that leads nowhere, or thousands of posts posted by trolls that aren’t even true. Do you think Apple can find anything useful watching MacForums?

    If you have a problem, file a bug report. 

    Plenty of Apple developers ( particularly those working for DTS) do in fact post on those forums. as part of their job. This one seems to have been missed.

     And plenty of companies watch external forums, and log internal bugs. I have worked for a company where testers would try to reproduce externally found issues, even on external forums (obviously this was a company with a fairly famous product). In the company I now work for we do in fact take the customer facing forums very seriously. In fact it often gets escalated to CEO level, admittedly this is a smaller company. with fewer posts. Apple is in fact doing what you people think it shouldnt do, it just slipped up here. 


     Internal testers arent going to find everything. To find this they would have had to try the root user twice with no password, but the root user shouldnt even be enabled. So it would never have been part of a test book. And Apple, even with a large testing team, isnt going to have every single mac set up the way its millions of users have. Since an ordinary punter isnt going to log a bug ( they may send an email to Tim) watching forums is an important thing to do.





    edited November 2017
  • Reply 51 of 55
    asdasdasdasd Posts: 5,686member
    It looks like Apple did not really have that many resources in that particular sub forum though. It was the beta subforum, so after the release they may have stopped watching it. 
  • Reply 52 of 55
    foggyhillfoggyhill Posts: 4,767member
    Rayz2016 said:
    kamilton said:
    Hey, people make mistakes.  Even if it was discovered a week ago, this patch was executed quickly.  In reality, which I try to visit once or twice a day, the greatest security exposure occurs when the mass media reports the bug.  Apple managed an automatic fix within ~24 hours of the story breaking.  Stunning.  This near Trillion dollar company responded like a new startup.  That’s remarkable and informative.  Steve’s “World’s biggest startup” still is.


    Well, yes, that’s a good point I suppose. 
    The bug that occured from the fix, was a lot less severe than the original one.
    Fixing fast often introduces regressions, that's why you try to not do it usually (that's why QA exists and you got your whole test suites going during the build process).
  • Reply 53 of 55
    Rayz2016 said:
    Do you think Apple can find anything useful watching MacForums?
    Yeah, they can find out what Android shills are thinking.
  • Reply 54 of 55
    welshdogwelshdog Posts: 1,897member
    The security update installed last night. This morning I see that Mail is asking me for permission to make a network connection for every single piece of mail I try to read.  Not sure if the two things are connected.
  • Reply 55 of 55
    MarvinMarvin Posts: 15,310moderator
    asdasd said:
    Internal testers arent going to find everything. To find this they would have had to try the root user twice with no password, but the root user shouldnt even be enabled. So it would never have been part of a test book. And Apple, even with a large testing team, isnt going to have every single mac set up the way its millions of users have. Since an ordinary punter isnt going to log a bug ( they may send an email to Tim) watching forums is an important thing to do.
    This is what automated testing is for. They can program test scenarios to run every combination they want for every release, including UI actions. They clearly aren't doing enough of this for Safari or Mail either because I've had Webkit crashes on websites and SSL crashes on Mail that weren't there before, they are introducing bugs and not testing for them. Most of the automated tests would just need to be written once and work for every release and they'd focus on the parts of the system they knew they'd changed. For every Safari release, they should run it against a few million of the top websites to check for errors, performance issues and crashes and fix them before release.

    This kind of testing would be trivial for Apple. They have their own development language with Swift, they have full access to the OS UI and hardware firmware, they can have a team write up millions of automated testing scenarios and every single app and OS release can be installed on a network of test machines and run against them. It can test every kind of login 100 times. This kind of serious bug should never happen. Hopefully their security review will result in a more robust testing procedure going forward.
Sign In or Register to comment.