Updating to latest macOS 10.13.1 disables Apple's 'root' bug patch

Posted:
in macOS edited December 2017
It appears Apple's quick fix for the recently discovered root user bug can be disabled by upgrading to macOS 10.13.1 from a previous version of the operating system, meaning users who do so are unwittingly reintroducing the glaring security hole.




According to a Wired report on Friday, multiple users have confirmed that upgrading from macOS 10.13.0 High Sierra to the latest version 10.13.1, released at the end of October, defeats Apple's security patch for the root user login flaw.

In particular, users running macOS 10.13.0 who downloaded and installed the security update released on Wednesday say the root bug reappears after upgrading to macOS 10.13.1.

Making matters worse, two people who attempted to reinstall Apple's fix after upgrading to macOS 10.13.1 say the root login bug persists until the system is rebooted. Apple in its documentation does not list rebooting as part of the required installation process.

"I installed the update again from the App Store, and verified that I could still trigger the bug. That is bad, bad, bad," said Thomas Reed, a security researcher at MalwareBytes. "Anyone who hasn't yet updated to 10.13.1, they're now in the pipeline headed straight for this issue."

Reed went on to point out that many Mac owners do not reboot their computer for months at a time, meaning the root flaw could in some cases linger.

Earlier this week researchers publicized a macOS security bug that allows anyone to log in to a Mac running High Sierra as its "root" System Administrator without first requiring a password. Less than a 24 hours later, Apple pushed out Security Update 2017-001 via the Mac App Store, plugging the hole.

The security patch introduced its own problems, however, as users had issues authenticating or connecting to file shares on their Mac. Apple posted a quick Terminal fix to its Support Pages before reissuing the security patch with a permanent solution a few hours later.

While not as damaging as the original root user bug, the glitch in Apple's security patch is unusually sloppy for the Cupertino tech giant. How the two bugs in the security patch slipped past Apple's quality assurance team is unknown.
«1

Comments

  • Reply 1 of 32
    netroxnetrox Posts: 1,286member
    So, let me get this right... I already updated to 10.13.1 last month so it's not affecting the recent security update, right?
  • Reply 2 of 32
    That's sick.
    edited December 2017 mike54
  • Reply 3 of 32
    Sloppy
    mike54
  • Reply 4 of 32
    So, what's wrong with that? The update and the bug both work as expected. One will install 10.13.1 first, then install Security Update 2017-001 over that, else macOS will already automatically install the security update on 10.13.1. Apple should stick to the released build number and should not distribute the "corrected" one with a different build number: that would create huge confusions among users and support staff. This is how it works in Windows or other software too.
    randominternetpersonracerhomie
  • Reply 5 of 32
    So...Apple is bad for not adding a patch released two days ago into an update released over a month ago? Hmmm...they’re an EVIL company for not adding future patches into their already released updates/upgrades! *sarcasm* I want all of next year’s updates and patches in last month’s update, I tell ya!! hahaha
  • Reply 6 of 32
    So...Apple is bad for not adding a patch released two days ago into an update released over a month ago? Hmmm...they’re an EVIL company for not adding future patches into their already released updates/upgrades! *sarcasm* I want all of next year’s updates and patches in last month’s update, I tell ya!! hahaha
    They could easily require you to install the update before installing the patch.
  • Reply 7 of 32
    SoliSoli Posts: 10,033member
    I agree that it's sloppy. This seems like something very simple to add to this update. The update didn't even require a restart.
  • Reply 8 of 32
    Yawn.

    Some irresponsible scumbag tells the world about a zero-day exploit before telling Apple.  Apple releases a fix for that in less than a day.  A few days later people find obscure ways that the fix can be unfixed.  I have no doubt that Apple has been working on a proper fix all along and they are going to make sure it's fully tested and released properly very soon.  In the meantime, if you are concerned don't let bad guys get their hands on your hardware or take 20 seconds to set a flippin' root password and be completely protected.
    bshank
  • Reply 9 of 32
    SoliSoli Posts: 10,033member
    Yawn.

    Some irresponsible scumbag tells the world about a zero-day exploit before telling Apple.  Apple releases a fix for that in less than a day.  A few days later people find obscure ways that the fix can be unfixed.  I have no doubt that Apple has been working on a proper fix all along and they are going to make sure it's fully tested and released properly very soon.  In the meantime, if you are concerned don't let bad guys get their hands on your hardware or take 20 seconds to set a flippin' root password and be completely protected.
    I believe I read that Apple was aware of the bug two weeks prior to being made public.
    ktappe
  • Reply 10 of 32
    stukestuke Posts: 120member
    Apple, come on!  Get your shit together.  Stop releasing so many new updates so frequently as obvious betas. Pay for good engineering, and maybe Steve can Rest In Peace!
  • Reply 11 of 32
    dr. xdr. x Posts: 279member
    What a joke! Apple does need to get their shit together quickly or else things are going to go down the tubes if it hasn’t already. 

    I know Apple and the Apple I know isn’t like this, so sloppy. 
    edited December 2017
  • Reply 12 of 32
    philboogiephilboogie Posts: 7,675member
    Patch one bug, receive a new one. When is Apple going to release bug-free software?

    Oh, and there is a new time bug as well:
    https://www.reddit.com/r/iphone/comments/7gzntq/psa_iphone_rebootrespring_issues_megathread/


  • Reply 13 of 32
    philboogiephilboogie Posts: 7,675member
    Soli said:
    I believe I read that Apple was aware of the bug two weeks prior to being made public.
    That is correct:
    https://daringfireball.net/2017/11/high_sierra_root_login_two_weeks_ago

    edit: and a link to 'straight from the horse's mouth':
    https://medium.com/@lemiorhan/the-story-behind-anyone-can-login-as-root-tweet-33731b5ded71

    edited December 2017 Solimacplusplus
  • Reply 14 of 32
    SoliSoli Posts: 10,033member
    Patch one bug, receive a new one. When is Apple going to release bug-free software?

    Oh, and there is a new time bug as well:
    https://www.reddit.com/r/iphone/comments/7gzntq/psa_iphone_rebootrespring_issues_megathread/


    I can't image that ever happening. If we could envision some reality where there was no possible new features or need for ever improving security or performance then companies could theoretically just keep making their SW more and more bug free, but even then there would likely be a point where the cost of rooting out and fixing even the most minor bugs becomes too costly to even bother. We can look at defunct apps and/or tech companies to see how that may go.

    But date and time-related bugs just seem weird.
    edited December 2017 StrangeDays
  • Reply 15 of 32
    Speed1050Speed1050 Posts: 22unconfirmed, member
    Great story, must read again. I like this line though: Reed went on to point out that many Mac owners do not reboot their computer for months at a time...

    High Sierra. I can’t get through a day without at least one forced reboot following some kernel panic.

    A month... I wish. 
  • Reply 16 of 32
    philboogiephilboogie Posts: 7,675member
    Soli said:
    When is Apple going to release bug-free software?

    I can't image that ever happening.
    Me neither, I was being over the top, so to speak. But I do think they need to do a better job in the QA dept (or wherever). I understand that while Date & Time seems easy, allegedly it's not. But there have been so many problems, for so many companies to get Date & Time right...I wouldn't hold my breath for these bugs to become a thing of the past.

    Leap-year bug

    https://discussions.apple.com/thread/1335457?start=0&tstart=0

    Zune chokes on leap-year bug

    https://www.macworld.com/article/1137846/zunebug.html

    Yes, Microsoft Azure Was Downed By Leap-Year Bug

    https://www.wired.com/2012/03/azure-leap-year-bug/

    Apple promises a fix for iPhone bricking stemming from date and time bug

    http://www.idownloadblog.com/2016/02/15/apple-fix-iphone-bricking-date-time-bug/

    iCloud time zone bug / Calendar mismatch with PC time zone

    https://discussions.apple.com/thread/3409043?start=30&tstart=0


    Soli
  • Reply 17 of 32
    Something fishy here swims

    ~Yoda
  • Reply 18 of 32
    How long can it take to have a class lawsuit against Apple for permanently staying on a current (working) iOS release ?
    edited December 2017 dysamoria
  • Reply 19 of 32
    StrangeDaysStrangeDays Posts: 12,326member
    Bacillus3 said:
    How long can it take to have a class lawsuit against Apple for permanently staying on a current (working) iOS release ?
    What??
  • Reply 20 of 32
    lkrupplkrupp Posts: 10,344member
    Soli said:
    Yawn.

    Some irresponsible scumbag tells the world about a zero-day exploit before telling Apple.  Apple releases a fix for that in less than a day.  A few days later people find obscure ways that the fix can be unfixed.  I have no doubt that Apple has been working on a proper fix all along and they are going to make sure it's fully tested and released properly very soon.  In the meantime, if you are concerned don't let bad guys get their hands on your hardware or take 20 seconds to set a flippin' root password and be completely protected.
    I believe I read that Apple was aware of the bug two weeks prior to being made public.
    You read wrong. The information about the flaw was mentioned in passing in a thread completely unrelated to the bug. I read the developer site thread. The flaw was suggested by a user to fix something else. He said, “Hey try this!” This was spun as proof that Apple knew about this two weeks ago. No official bug report was ever sent to Apple by that commenter. The claim that Apple knew about this resulted by assuming Apple scourers its developer forums intently to look for tidbits like this. Like these user forums here Apple apparently does not routinely participate in threads. That’s a point that can be debated as to whether Apple really needs to have engineers spending time slogging through hundreds of comments on a developer forum 24/7/365. Apple found out about it on the day it was made public, not two weeks ago.

    So IMHO there were two opportunities by supposed professionals to inform Apple of the flaw before things hit the fan. First was the commenter in the developer forum who mentioned the flaw but did not  report it (perhaps he had used it before to get into places he normally couldn’t, his own private back door so to speak). Second was the dirtbag who announced the flaw to the world in a tweet,  “Hey Apple, do you know about this, ha ha ha?”

    Apple does not escape any blame here. They screwed up big time and deserve every slap in the face they get for it. But the angst and fear caused by this could have been avoided, in my opinion, if two people had acted responsibly. The flaw would have been fixed and users protected before the details were released.
    edited December 2017 Soliloopless
Sign In or Register to comment.