Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Desktops (Apple) Bug Security Apple

Apple Snafu Means Updating To macOS 10.13.1 Could Reactivate Root Access Bug (betanews.com) 74

Mark Wilson writes: A few days ago, a serious security flaw with macOS High Sierra came to light. It was discovered that it was possible to log into the 'root' account without entering a password, and -- although the company seemed to have been alerted to the issue a couple of weeks back -- praise was heaped on Apple for pushing a fix out of the door quickly. But calm those celebrations. It now transpires that the bug fix has a bug of its own. Upgrade to macOS 10.13.1 and you could well find that the patch is undone. Slow hand clap.
This discussion has been archived. No new comments can be posted.

Apple Snafu Means Updating To macOS 10.13.1 Could Reactivate Root Access Bug

Comments Filter:
  • Oh good.. (Score:4, Funny)

    by HumanWiki ( 4493803 ) on Monday December 04, 2017 @09:03AM (#55671685)

    "My slowclap processor made it into this thing." -GLaDOS

    • by fuzzyf ( 1129635 )
      That one made me laugh :)

      Wish I had modpoints. That is a clear +1 Funny in my book.
      Maybe I should fire opp Portal again. Been a long time since I played it.
      • Now here we are again..
        It's always such a pleasure..
        Remember when you tried to mod, me once..

        • by fuzzyf ( 1129635 )
          I'm terrible sorry but I can't quite place you
          Hoping it wasn't that one time where I modded a post "Overrated" by mistake? I think I posted afterwards to cancel that mod

          Anyway... I really liked the quote from Portal :) Thank you very much for that one!
          • You're fine. I was singing out the ending song to Portal 2 with regard to your wishing you had the ability to mod my post. Guess it wasn't as funny as the first.

            • by fuzzyf ( 1129635 )
              lol :)
              It's been quite some time since I played Portal 2 so I didn't remember that one at all. Probably means it will be really fun to play it again :)
  • by Anonymous Coward on Monday December 04, 2017 @09:11AM (#55671721)

    must have done the fixed in between emoji design meetings.

  • This for Apple is what the burning batteries was for Samsung.

    You're pretty much guaranteed to make a major snafu every once in a while if you're a big tech company. The scary thing is when a snafu occurs when controlling a power plant, or a weapons system, or something that could be used as a weapon.

    As long as it's just phones and laptops we're OK.

  • by Anonymous Coward

    Of course if you upgrade to 10.13.1 it will remove the patch, the patch doesn't exist in that version and it is a full update, not a delta. Shortly after the upgrade it will download and apply the patch to 10.13.1.

    • That does create a window of opportunity. It's a window that could be detected by many external firewalls, which monitor web traffic as a matter of course and could detect the Apple update download.

      • I'm pretty sure the macOS "root bug" requires physical access to the machine.
        • If it's already been set up (e.g. a non-admin user has failed to elevate to root 3 times), I've heard reports that this bug does also allow remote connection to AFP shares, SSH, and remote access if those are enabled. I don't have an unpatched machine on hand in order to test, so I'm simply relaying. If you have an unpatched machine, you can verify it yourself; if not, I suppose it doesn't really matter.
      • by Nutria ( 679911 )

        Isn't the "work around" to just have a root password (which there should be anyway)?

  • And then within 24 hours Security Update 2017-001 is auto applied if not manually done so earlier.

    • So that 24 hour window is no problem.

      Are there any third-party web-pages that are out there with links, recommending 'upgrade to the new MacOS 10.13.1' that have ads displayed on them? I would like to purchase some ads.

      • Re: (Score:3, Informative)

        by Archon ( 13753 )

        No, this is still a huge fuckup.

        - deploy OS updates w/root bug
        - release 20017-01 security patch that fixes root bug but introduces Kerberos authentication bug ...root issue not fixed until machine is rebooted, which is neither documented or forced by the update
        - release KB that provides instructions for manually fixing Kerberos bug by entering terminal command
        - patch the 2017-01 security patch to not introduce Kerberos bug ...no documentation or version upgrading of the patch to denote changes

        And now... ...

  • Big deal (Score:4, Funny)

    by 110010001000 ( 697113 ) on Monday December 04, 2017 @09:30AM (#55671777) Homepage Journal
    Not sure who this "Root" guy is, but I always login with my iCloud username. Everyone knows iCloud is safe.
  • by mattr ( 78516 ) <mattr @ t e l e b o d y . com> on Monday December 04, 2017 @09:45AM (#55671861) Homepage Journal

    I would like Apple to stop nagging me to upgrade to High Sierra via notifications. I am deathly afraid of clicking by accident. It is seldom that a Mac operating system upgrade soon after its launch goes well for the hapless end user. I'm sure I will do it some time, after I feel really good about my backup system and have no critical business scheduled. But when I invested in this MacBook Pro I felt it would last me 5-10 years as-is. Something closer to ZFS is great but not worth the aggravation that the Apple user is GUARANTEED to get if they upgrade soon after it comes out. Let some other early adopters become roadkill and just sit back and let the fireworks die down for a year. Some of us can't afford to be experimented on.

    • Re: (Score:2, Interesting)

      by TheRaven64 ( 641858 )

      I am deathly afraid of clicking by accident

      You are easily frightened. If you click on most of it, it will launch the app store and show you a big banner telling you how awesome Apple thinks High Sierra is. If you click on the 'later' button, it will go away and bug you later. If you click on the 'install' button, it will launch the installer, which will then give you an option to cancel the installation. Which one of these possible outcomes causes a reaction of deathly fear?

    • by antdude ( 79039 )

      It's like Microsoft. I also would like Apple and others to stop nagging about logging in to get updates so often. Stop please!

  • I had a customer with an older Macbook Pro, for whom updating to 10.13 overwrote her boot partition with the 10.13 recovery partition - then froze dead in its tracks leaving the laptop unbootable. All her files that weren't overwritten had to be recovered by signature through Photorec.

    I put in a brand new hard drive (the drive was starting to fail), and installed Sierra. Updating to 10.13 (High Sierra) did the same thing again.

    Only resetting the PRAM solved it. I can't really even make sense of why that

  • by Chelloveck ( 14643 ) on Monday December 04, 2017 @10:24AM (#55672043)

    So, what you're saying is that when you rush out a patch, the development and QA processes suffer? The hell you say. No one could have predicted *that*.

    Sometimes you have to say "Make it work for the most common case *now* and we'll pick up anything we missed later.

  • 99 bugs (Score:4, Funny)

    by stealth_finger ( 1809752 ) on Monday December 04, 2017 @11:10AM (#55672441)
    99 little bugs in the code
    99 little bugs in the code
    Take one down, pass it around
    117 little bugs in the code
  • While this bug has not been patched in the 10.13.1 Update, it has been patched once-and-for-all in the upcoming 10.13.2 Update, now in Beta Testing.

    Those who Install 10.13.1 simply need to re-run the current version of the "root access" Security Update, and all will be well.

    Just some overlapping package-release timing stuff, exacerbated by Apple's desire to patch the original vulnerability as quickly as possible.

  • by Anonymous Coward

    Thanks, Apple, for labelling my old Mac Mini as obsolete, so I do not have to deal with this crap.

  • FEATURE!

FORTUNE'S FUN FACTS TO KNOW AND TELL: A black panther is really a leopard that has a solid black coat rather then a spotted one.

Working...