“It appears Apple’s quick fix for the recently discovered root user bug can be disabled by upgrading to macOS 10.13.1 from a previous version of the operating system, meaning users who do so are unwittingly reintroducing the glaring security hole,” Mikey Campbell reports for AppleInsider. “According to a Wired report on Friday, multiple users have confirmed that upgrading from macOS 10.13.0 High Sierra to the latest version 10.13.1, released at the end of October, defeats Apple’s security patch for the root user login flaw.”
“In particular, users running macOS 10.13.0 who downloaded and installed the security update released on Wednesday say the root bug reappears after upgrading to macOS 10.13.1,” Campbell reports. “Making matters worse, two people who attempted to reinstall Apple’s fix after upgrading to macOS 10.13.1 say the root login bug persists until the system is rebooted. Apple in its documentation does not list rebooting as part of the required installation process.”
Read more in the full article here.
“The root fix, released on Wednesday for macOS High Sierra 10.13.0 and 10.13.1, addresses a serious vulnerability that was first discovered a day earlier on Tuesday,” Juli Clover reports for MacRumors. “The bug enabled the root superuser on a Mac with a blank password and no security check, letting anyone bypass the security of an admin account with the username ‘root’ and no password.”
Read more in the full article here.
MacDailyNews Take: This is simply mismanagement and sloppiness. There’s no excuse for this.
We pay for “it just works,” Apple. When you stop providing that, the gravy train will stop, too.
Get your act together, Apple!
If you recently updated from macOS High Sierra 10.13 to 10.13.1, reboot your Mac to make sure the Security Update is applied properly. Or if you see MRTConfigData 1.27 in the Installations list under Software in System Report, your Mac is also protected.
To confirm that your Mac has Security Update 2017-001:
1. Open the Terminal app, which is in the Utilities folder of your Applications folder.
what /usr/libexec/opendirectorydand press Return.
3. If Security Update 2017-001 was installed successfully, you will see one of these project version numbers:
opendirectoryd-483.1.5 on macOS High Sierra 10.13
opendirectoryd-483.20.7 on macOS High Sierra 10.13.1
If you require the root user account on your Mac, you will need to re-enable the root user and change the root user’s password after this update.
More info about and download link for Security Update 2017-001 macOS High Sierra v10.13.1 here: https://support.apple.com/kb/DL1942
Apple’s macOS High Sierra bug fix arrives with a new bug – here’s the fix – November 30, 2017
Apple on Mac flaw: ‘We apologize to all Mac users. Our customers deserve better. We are auditing our development processes.’ – November 29, 2017
Apple releases fix for macOS High Sierra administrator authentication bypass flaw – November 29, 2017
Tim Cook’s sloppy, unfocused Apple rushes to fix a major Mac security bug – November 29, 2017
What to do about Apple’s shameful Mac security flaw in macOS High Sierra – November 29, 2017
Apple’s late, delayed, limited HomePod is looking more and more like something I don’t want – November 27, 2017
Why Apple’s HomePod is three years behind Amazon’s Echo – November 21, 2017
Under ‘operations genius’ Tim Cook, product delays and other problems are no longer unusual for Apple – November 20, 2017
Apple delays HomePod release to early 2018 – November 17, 2017
Apple CEO Tim Cook: The ‘operations genius’ who never has enough products to sell at launch – October 23, 2017
Apple’s desperate Mac Pro damage control message hints at a confused, divided company – April 6, 2017
Apple is misplaying the hand Steve Jobs left them – November 30, 2016
Apple delays AirPod rollout – October 26, 2016
Apple delays release of watchOS 2 due to bug – September 16, 2015
Apple delays HomeKit launch until autumn – May 14, 2015
Open letter to Tim Cook: Apple needs to do better – January 5, 2015