Updating to latest macOS 10.13.1 disables Apple’s ‘root’ bug patch; you’ll need to reinstall Apple’s root security fix

“It appears Apple’s quick fix for the recently discovered root user bug can be disabled by upgrading to macOS 10.13.1 from a previous version of the operating system, meaning users who do so are unwittingly reintroducing the glaring security hole,” Mikey Campbell reports for AppleInsider. “According to a Wired report on Friday, multiple users have confirmed that upgrading from macOS 10.13.0 High Sierra to the latest version 10.13.1, released at the end of October, defeats Apple’s security patch for the root user login flaw.”

“In particular, users running macOS 10.13.0 who downloaded and installed the security update released on Wednesday say the root bug reappears after upgrading to macOS 10.13.1,” Campbell reports. “Making matters worse, two people who attempted to reinstall Apple’s fix after upgrading to macOS 10.13.1 say the root login bug persists until the system is rebooted. Apple in its documentation does not list rebooting as part of the required installation process.”

Read more in the full article here.

“The root fix, released on Wednesday for macOS High Sierra 10.13.0 and 10.13.1, addresses a serious vulnerability that was first discovered a day earlier on Tuesday,” Juli Clover reports for MacRumors. “The bug enabled the root superuser on a Mac with a blank password and no security check, letting anyone bypass the security of an admin account with the username ‘root’ and no password.”

Read more in the full article here.

MacDailyNews Take: This is simply mismanagement and sloppiness. There’s no excuse for this.

We pay for “it just works,” Apple. When you stop providing that, the gravy train will stop, too.

Get your act together, Apple!

If you recently updated from macOS High Sierra 10.13 to 10.13.1, reboot your Mac to make sure the Security Update is applied properly. Or if you see MRTConfigData 1.27 in the Installations list under Software in System Report, your Mac is also protected.

To confirm that your Mac has Security Update 2017-001:
1. Open the Terminal app, which is in the Utilities folder of your Applications folder.
2. Type what /usr/libexec/opendirectoryd and press Return.
3. If Security Update 2017-001 was installed successfully, you will see one of these project version numbers:
opendirectoryd-483.1.5 on macOS High Sierra 10.13
opendirectoryd-483.20.7 on macOS High Sierra 10.13.1

If you require the root user account on your Mac, you will need to re-enable the root user and change the root user’s password after this update.

More info about and download link for Security Update 2017-001 macOS High Sierra v10.13.1 here: https://support.apple.com/kb/DL1942

SEE ALSO:
Apple’s macOS High Sierra bug fix arrives with a new bug – here’s the fix – November 30, 2017
Apple on Mac flaw: ‘We apologize to all Mac users. Our customers deserve better. We are auditing our development processes.’ – November 29, 2017
Apple releases fix for macOS High Sierra administrator authentication bypass flaw – November 29, 2017
Tim Cook’s sloppy, unfocused Apple rushes to fix a major Mac security bug – November 29, 2017
What to do about Apple’s shameful Mac security flaw in macOS High Sierra – November 29, 2017
Apple’s late, delayed, limited HomePod is looking more and more like something I don’t want – November 27, 2017
Why Apple’s HomePod is three years behind Amazon’s Echo – November 21, 2017
Under ‘operations genius’ Tim Cook, product delays and other problems are no longer unusual for Apple – November 20, 2017
Apple delays HomePod release to early 2018 – November 17, 2017
Apple CEO Tim Cook: The ‘operations genius’ who never has enough products to sell at launch – October 23, 2017
Apple’s desperate Mac Pro damage control message hints at a confused, divided company – April 6, 2017
Apple is misplaying the hand Steve Jobs left them – November 30, 2016
Apple delays AirPod rollout – October 26, 2016
Apple delays release of watchOS 2 due to bug – September 16, 2015
Apple delays HomeKit launch until autumn – May 14, 2015
Open letter to Tim Cook: Apple needs to do better – January 5, 2015

61 Comments

  1. Anybody with half a brain should have realized that installing an unfixed system upgrade over the fix would undo it. Anybody with a quarter of a brain would realize that changes to the operating system require a reboot. People were demanding an immediate fix, which Apple provided. It may take a little longer for a complete system upgrade. Chill, people!!

    1. Ok, two one-star votes in thirty minutes from folks who are shocked—shocked, I say—that when Apple releases software updates in the order 1, 2, 3 and a user installs it in the order 1, 3, 2, the user has 2 at the end of that process rather than 3.

            1. You are negative on all things Apple, all the time. Partisan: “prejudiced in favor of a particular cause”, and your cause is hating Apple.

            2. Partisan doesn’t mean being pro someone, it means having a bias in favor of something, which could be a person, a group, a cause, whatever, and it doesn’t have to be pro anything, it can be con (Repubs in the States have defined themselves by what they’re against). You have an emotional bias against Apple, that’s partisanship. I’m sorry if you didn’t understand what that word means, but there it is.

            3. I call out Apple where I feel they need calling out and where I feel that things are being sensationalized or lack “truthiness”. Apple is not a person, no company is, they don’t get the respect a person gets.

            4. Being partisan applies to more than people, just as it applies to more than being ‘pro’ something. You are partisan, I’m not sure why you don’t want to admit that, lots of people are just like you, they have things they hate and things they love for purely emotional reasons.

            5. I have legitimate axes to grind with Apple based on fact. Any negative emotions I may have regarding Apple also stem from fact. To allow partisan “inaccuracies” to propagate allow them to be perceived as truth. I won’t allow that, you don’t have to listen.

            6. Why criticize MDN, isn’t it clear this is a fan site, both pro and anti-fan (like you)? I won’t be hanging around, it was a minor diversion of sorts. I like my Apple products but I don’t care enough to take it to your level, for or against. They’re just products and it’s just a company. If my Apple products start sucking I’ll move on. For now they’re far and away the best for me and despite all the hand-wringing it doesn’t seem like that will be changing. Windows is a mess so that’s not an option. Android is not nearly secure enough, never mind Google’s gathering of data on a scale far worse than anything Apple does. Every company or product has trade offs, I’m happy where I am. I’m certainly not going to waste much more time on a site like MDN. You ever thought about how much time you waste commenting and replying on sites like this? You’re not a fan? Riiiigghhhht.

            1. But that’s all you do, you heckle and shout at the ‘other team’. That’s fan stuff. You’re the guy jumping and yelling in the stands at a Patriots game wearing a ‘Patriots suck!’ jersey. You’re THAT guy. You also seem to live near a river in Egypt, if you think you’re not THAT guy.

            2. You wear an “Apple Sucks!” jersey. You’re in serious denial if you think you don’t. Your excuse is that BS oozes out of Apple so you HAVE to counter it. You sound a lot like a Patriots hater, or any hater for that matter. Insert Team Name I Hate is Insert My Excuse For Hating Said Team, I have to let everyone know! It’s my solemn duty!!!

              Some people love to hate something, haters gonna hate. Some people pick pop stars, singers, sports teams, an actor, whatever, you’ve chosen a corporation. It’s all the same thing, you need something to hate. Lots of geeks hate Apple by the way, you’re not even original.

              Nice attempt at saving face with your “What are the Patriots?” comment. Yes, we get it, you don’t follow sports, you’re so above all of that and so smart and beyond mere mortals who know who the Patriots are.

            3. Oh, I do wear an Apple Sucks jersey. I stick to facts though.

              PS-I don’t follow American football at all, and thanks to FIFA and UEFA, I only follow national team football. I know what it means to be a fan though, and I recognize the whole thing is sheepish, irrational, and inconsequential in things that matter. On the other hand, no team would dare censor me either.

              Being a fan does not absolve you from objectivity.

            4. The New England Patriots are an American football team that are reviled for their winning ways, which include various mehods of cheating. They are truthy all right, getting self-righteous when challenged on their ethics, and doubling down Trump-style until things blow over, never admitting to diddly-squat and relying on their fan base to keep them in the revenue equation. It’s always all about the money, and playing their fans for the reliable suckers they are.

            5. Exactly. I was hoping someone would reply with a comment like this. Apple critics think Apple is cheating somehow, and only succeeds because of fans who will buy anything Apple makes and tolerate anything Apple does. If it isn’t obvious how ridiculous that view of Apple is there’s nothing anyone can say to change any anti-fan’s mind about Apple. Haters gonna hate.

      1. Your apology for Apple doesn’t make sense. You are ignoring the fact that Apple should have immediately withdrawn the unpatched version of 10.13.1 and re-released it with the patch INCLUDED. You seem to be ignoring what we usually call a distinct advantage of going with Apple: they control the whole damn thing.

    2. We are now up to about 20 people who think it is absolutely terrible that when you

      (1) install MacOS 10.13.0;

      (2) do not install 10.13.1 when it is released;

      (3) install a Security Update intended for both MacOS 10.13.0 and 10.13.1, giving you a patched 10.13.0, and finally

      (4) install the unpatched 10.13.1 (which was released before the Security Update) over the top of your patched 10.13.0,

      you get exactly what you installed—an unpatched 10.13.1, until you install the Security Update again.

      Yes, it would be better to incorporate the patch into a new 10.13.2 and stop allowing people to download the two earlier point releases that have the bug, but that will take more time than issuing a security update. Doing that was an emergency priority after half-a-dozen online publications had described exactly how to enable root on a screen-locked Mac.

      Given the release today of iOS 11.2 with new features, including Apple Pay Cash, I suspect that the next MacOS point release was already finished and scheduled to go public today, but has been delayed to incorporate the security update bug fix.

      In the meantime, people who chose to download their system software out of sequence can just install the Security Upgrade again, and reboot their device, like we do for every system update.

  2. Well, I guess I will still hold off on High Sierra for awhile. The root problem doesn’t worry me personally, but I just don’t trust that there aren’t even more examples of software engineering ineptitudes hidden in there. My new iMac and trusty old MacBook Pro are doing just fine with Sierra. Thanks SJW Timmy!

  3. This is precisely why my two MP & MBP machines still have Sierra and El Capitan loaded and it’s not a problem. I sensed a great future disturbance in the OS upgrading Force as soon as I saw Apple was upgrading it’s AFS. I won’t be upgrading to High Sierra until the next 2018 Mac Pro arrives (or is that 2019 or 2020?) Maybe it’ll be safe by then. I try to avoid the problem of “fools rushing in” and paying a price for it.

    With great products comes great responsibility Apple!!

      1. Not a new “tactic” for pros and business waiting 6-8 months or longer to upgrade to new OS iterations and especially one like this with a filing system upgrade. Doesn’t effect the evolution at all. Call it a beta buffer zone until the new version is proven and stable which is prudent even for most as this new instance proves. Most pro apps still run fine all the way back to El Capitan. App & OS stability are more important than getting the latest bells & whistles, which will come in time.

  4. This is so embarrassing. One of the wealthiest companies in the world and it’s like their quality control team is on vacation. Hire some competent employees who are good at fixing this stuff please.

  5. Remember the good ol days of “I’m a Mac and I’m a PC…”

    That was when we could laugh at the pc people for having Microsoft like problems.

    With Apple, I’m starting to know what is like to be a PC user:/

    1. Oh believe me, I have to use Windows at work and even with all of this incompetence and stupidity from Apple, it’s still heaven on Earth in comparison. Having to deal with Microsoft and Dell makes me feel like I was very, very bad in a previous incarnation and am now paying for it in spades.

Reader Feedback

This site uses Akismet to reduce spam. Learn how your comment data is processed.