Apple security update means root password flaw can return for some users
There were red faces at Apple after it slipped up once again in a very public way with the latest version of its macOS (High Sierra) operating system.
Last week the company patched a serious root bug that could have allowed anyone to access a Mac system, but it turns out the problem can return.
This latest development is a further setback to Apple’s security credentials, which have until the last several years enjoyed a solid reputation.
Half Baked Fix?
It was late last month that the root flaw came to light that anyone running an Apple Mac with version 10.13. and 10.13.1 of its latest operating system (known as High Sierra), could be exposed to a serious flaw with admin privileges.
Essentially, the flaw could have allowed admin access to Apple Macs by using the username ‘root’ and no password, which bypasses (in some cases remotely) local security settings.
Apple rushed out a patch within 18 hours of the flaw being reported, and advised all Mac users running macOS High Sierra to download ‘Security Update 2017-001’ immediately.
But now multiple Apple Mac users have confirmed to Wired magazine that the software fix may not actually fix the problem. Indeed, the publication found that the bug returns if Mac owners upgrade to the latest version of High Sierra after they have applied the patch.
If a user upgraded to High Sierra 10.13.1 and did not reboot the Apple Mac (a common practise among Mac users), then the bug would return.
“Even if a Mac user knew to reinstall the security patch after they upgraded High Sierra – and in fact, Apple would eventually install that update automatically, as it has for other users affected by the ‘root’ bug – they could still be left vulnerable, Thomas Reed, a security researcher at Malwarebytes, told Wired.
Reed confirmed that 10.13.1 reopened the “root” bug, and he again installed Apple’s security fix for the problem. But he found that, until he rebooted, he could even then type “root” without a password to entirely bypass High Sierra’s security protections.
“I installed the update again from the App Store, and verified that I could still trigger the bug,” he is reported to have said. “That is bad, bad, bad. Anyone who hasn’t yet updated to 10.13.1, they’re now in the pipeline headed straight for this issue.”
Apple has not commented publicly on the issue, but it has updated its support page with an extra warning.
“If you recently updated from macOS High Sierra 10.13 to 10.13.1, reboot your Mac to make sure the Security Update is applied properly,” it said.
This is not the first bug discovered in the macOS High Sierra operating system.
In October a flaw was discovered that could have allowed anyone to gain access to encrypted hard disk volumes. That issue meant that when a user requested a password hint for certain encrypted volumes the operating system instead displayed the entire password.
Do you know all about security in 2017? Try our quiz!