Updating to latest macOS 10.13.1 disables Apple's 'root' bug patch
It appears Apple's quick fix for the recently discovered root user bug can be disabled by upgrading to macOS 10.13.1 from a previous version of the operating system, meaning users who do so are unwittingly reintroducing the glaring security hole.
According to a Wired report on Friday, multiple users have confirmed that upgrading from macOS 10.13.0 High Sierra to the latest version 10.13.1, released at the end of October, defeats Apple's security patch for the root user login flaw.
In particular, users running macOS 10.13.0 who downloaded and installed the security update released on Wednesday say the root bug reappears after upgrading to macOS 10.13.1.
Making matters worse, two people who attempted to reinstall Apple's fix after upgrading to macOS 10.13.1 say the root login bug persists until the system is rebooted. Apple in its documentation does not list rebooting as part of the required installation process.
"I installed the update again from the App Store, and verified that I could still trigger the bug. That is bad, bad, bad," said Thomas Reed, a security researcher at MalwareBytes. "Anyone who hasn't yet updated to 10.13.1, they're now in the pipeline headed straight for this issue."
Reed went on to point out that many Mac owners do not reboot their computer for months at a time, meaning the root flaw could in some cases linger.
Earlier this week researchers publicized a macOS security bug that allows anyone to log in to a Mac running High Sierra as its "root" System Administrator without first requiring a password. Less than a 24 hours later, Apple pushed out Security Update 2017-001 via the Mac App Store, plugging the hole.
The security patch introduced its own problems, however, as users had issues authenticating or connecting to file shares on their Mac. Apple posted a quick Terminal fix to its Support Pages before reissuing the security patch with a permanent solution a few hours later.
While not as damaging as the original root user bug, the glitch in Apple's security patch is unusually sloppy for the Cupertino tech giant. How the two bugs in the security patch slipped past Apple's quality assurance team is unknown.
According to a Wired report on Friday, multiple users have confirmed that upgrading from macOS 10.13.0 High Sierra to the latest version 10.13.1, released at the end of October, defeats Apple's security patch for the root user login flaw.
In particular, users running macOS 10.13.0 who downloaded and installed the security update released on Wednesday say the root bug reappears after upgrading to macOS 10.13.1.
Making matters worse, two people who attempted to reinstall Apple's fix after upgrading to macOS 10.13.1 say the root login bug persists until the system is rebooted. Apple in its documentation does not list rebooting as part of the required installation process.
"I installed the update again from the App Store, and verified that I could still trigger the bug. That is bad, bad, bad," said Thomas Reed, a security researcher at MalwareBytes. "Anyone who hasn't yet updated to 10.13.1, they're now in the pipeline headed straight for this issue."
Reed went on to point out that many Mac owners do not reboot their computer for months at a time, meaning the root flaw could in some cases linger.
Earlier this week researchers publicized a macOS security bug that allows anyone to log in to a Mac running High Sierra as its "root" System Administrator without first requiring a password. Less than a 24 hours later, Apple pushed out Security Update 2017-001 via the Mac App Store, plugging the hole.
The security patch introduced its own problems, however, as users had issues authenticating or connecting to file shares on their Mac. Apple posted a quick Terminal fix to its Support Pages before reissuing the security patch with a permanent solution a few hours later.
While not as damaging as the original root user bug, the glitch in Apple's security patch is unusually sloppy for the Cupertino tech giant. How the two bugs in the security patch slipped past Apple's quality assurance team is unknown.
Comments
Some irresponsible scumbag tells the world about a zero-day exploit before telling Apple. Apple releases a fix for that in less than a day. A few days later people find obscure ways that the fix can be unfixed. I have no doubt that Apple has been working on a proper fix all along and they are going to make sure it's fully tested and released properly very soon. In the meantime, if you are concerned don't let bad guys get their hands on your hardware or take 20 seconds to set a flippin' root password and be completely protected.
I know Apple and the Apple I know isn’t like this, so sloppy.
Oh, and there is a new time bug as well:
https://www.reddit.com/r/iphone/comments/7gzntq/psa_iphone_rebootrespring_issues_megathread/
https://daringfireball.net/2017/11/high_sierra_root_login_two_weeks_ago
edit: and a link to 'straight from the horse's mouth':
https://medium.com/@lemiorhan/the-story-behind-anyone-can-login-as-root-tweet-33731b5ded71
But date and time-related bugs just seem weird.
High Sierra. I can’t get through a day without at least one forced reboot following some kernel panic.
A month... I wish.
Leap-year bug
https://discussions.apple.com/thread/1335457?start=0&tstart=0
Zune chokes on leap-year bug
https://www.macworld.com/article/1137846/zunebug.html
Yes, Microsoft Azure Was Downed By Leap-Year Bug
https://www.wired.com/2012/03/azure-leap-year-bug/
Apple promises a fix for iPhone bricking stemming from date and time bug
http://www.idownloadblog.com/2016/02/15/apple-fix-iphone-bricking-date-time-bug/
iCloud time zone bug / Calendar mismatch with PC time zone
https://discussions.apple.com/thread/3409043?start=30&tstart=0
~Yoda
So IMHO there were two opportunities by supposed professionals to inform Apple of the flaw before things hit the fan. First was the commenter in the developer forum who mentioned the flaw but did not report it (perhaps he had used it before to get into places he normally couldn’t, his own private back door so to speak). Second was the dirtbag who announced the flaw to the world in a tweet, “Hey Apple, do you know about this, ha ha ha?”
Apple does not escape any blame here. They screwed up big time and deserve every slap in the face they get for it. But the angst and fear caused by this could have been avoided, in my opinion, if two people had acted responsibly. The flaw would have been fixed and users protected before the details were released.