PSA: Upgrading to macOS 10.13.1 will undo Apple’s patch for critical root
vulnerability
9to5Mac / Chance Miller
While Apple was commended for its overnight fix of the critical macOS root
security hole earlier this week, updates that are developed so quickly rarely
come without issues. Wired this morning reports that if you were running macOS
High Sierra 10.13.0 when you installed the update, and then update to High
Sierra 10.13.1, the security update will reverse itself…
The report cites several users who have experienced this issue. Essentially, if
you were behind and hadn’t updated to macOS 10.13.1 yet, you need to be sure to
reinstall the security patch that Apple released earlier this week for the root
hole.
Furthermore, however, the root security fix doesn’t reinstall as seamlessly for
those who are installing again after updating their machine to macOS 10.13.1.
Wired’s report explains that users are having to reboot their Mac in order for
the security patch to stick.
When Apple originally released the security update earlier this week, it was
sure to tout that it didn’t require a reboot in order to get as many users to
upgrade as possible. Furthermore, for those installing again after updating to
macOS 10.13.1, Apple doesn’t say that a reboot is required. This means that,
unless a user specifically tests the root bug, they won’t realize the security
fix actually hasn’t stuck.
Thomas Reed, an Apple researcher at security firm MalwareBytes, explained to
Wired:
After Reed confirmed that 10.13.1 reopened the “root” bug, he again installed
Apple’s security fix for the problem. But he found that, until he rebooted, he
could even then type “root” without a password to entirely bypass High Sierra’s
security protections.
“I installed the update again from the App Store, and verified that I could
still trigger the bug. That is bad, bad, bad,” says Reed. “Anyone who hasn’t
yet updated to 10.13.1, they’re now in the pipeline headed straight for this
issue.”
Apple has yet to comment on this newfound issue. It would seem that the company
could re-release the security patch for those users who upgrade, but that
remains to be seen. Have you noticed this flaw on your machine? Let us know
down in the comments.
Subscribe to 9to5Mac on YouTube for more Apple news:
Original Article: https://9to5mac.com/2017/12/02/macos-10-13-1-root-hole-bug/
Sent from my iPhone