Apple Snafu Means Updating To macOS 10.13.1 Could Reactivate Root Access Bug

Mark Wilson writes: A few days ago, a serious security flaw with macOS High Sierra came to light. It was discovered that it was possible to log into the 'root' account without entering a password, and -- although the company seemed to have been alerted to the issue a couple of weeks back -- praise was heaped on Apple for pushing a fix out of the door quickly. But calm those celebrations. It now transpires that the bug fix has a bug of its own. Upgrade to macOS 10.13.1 and you could well find that the patch is undone. Slow hand clap.

Oh good..

[HumanWiki]

"My slowclap processor made it into this thing." -GLaDOS

Re:

[fuzzyf]

That one made me laugh :)

Wish I had modpoints. That is a clear +1 Funny in my book.
Maybe I should fire opp Portal again. Been a long time since I played it.

Re:

[HumanWiki]

Now here we are again..
It's always such a pleasure..
Remember when you tried to mod, me once..

Re:

[fuzzyf]

I'm terrible sorry but I can't quite place you
Hoping it wasn't that one time where I modded a post "Overrated" by mistake? I think I posted afterwards to cancel that mod

Anyway... I really liked the quote from Portal :) Thank you very much for that one!

Re: Oh good..

[HumanWiki]

You're fine. I was singing out the ending song to Portal 2 with regard to your wishing you had the ability to mod my post. Guess it wasn't as funny as the first.

Re:

[fuzzyf]

lol :)
It's been quite some time since I played Portal 2 so I didn't remember that one at all. Probably means it will be really fun to play it again :)

Re:

[Anonymous Coward]

You know, I'm thinking you may be taking this just a bit too personally. I recommend you take less offense on behalf of a major corporation. Remember, Apple doesn't care about you, or your family. A trait no specific to Apple, but common among all corporations.

Re:

[Anonymous Coward]

This is definitely huge blunder, but a SNAFU? Because it stands for "Situation Normal - All Fucked Up" and implies something happens all the time, which is not the case here. Sure, the FaceID debacle happened relatively recently, but these kinds of security fuck-ups are a regular thing even for Apple.

Oh and before someone starts compiling a list of security screw-ups going back to the 80s, one or two legitimate screw-ups every few years are hardly "situation normal" type scenario.

This is the second time the same root-access bug has reared its ugly head IN THE LAST WEEK.

"SNAFU" seems quite apropos.

Re:

[v1]

it wasn't about the facts, it was about supplementing the headline with some clickbait

Re:

[tsqr]

This is definitely huge blunder, but a SNAFU? Because it stands for "Situation Normal - All Fucked Up" and implies something happens all the time, which is not the case here.

That's the origin, all right; however, since surfacing in WWII it's morphed from an acronym to a noun that means "a badly confused or ridiculously muddled situation". Seems appropriate in this case.

Re:

[Ol Olsoc]

This is definitely huge blunder, but a SNAFU? Because it stands for "Situation Normal - All Fucked Up" and implies something happens all the time, which is not the case here.

That's the origin, all right; however, since surfacing in WWII it's morphed from an acronym to a noun that means "a badly confused or ridiculously muddled situation". Seems appropriate in this case.

To the point where it has become a SNAFU, amirite?

Re:SNAFU?

[jellomizer]

There is a hatred of Apple, actually there is a bigger set of tribalism in general in our communities. Being Slashdot being a strong Linux tribe, this means Microsoft and Apple, who are not Linux systems will get hate.
Being Linux is free and open source, there is a general tribal dislike of capitalism and large companies.
So Microsoft is the worse, Not Linux, big company, closed source, not based on open standards.
Then Apple, (iOS and OSX are based on Unix which has simular standard to Linux) is slightly better liked than Microsoft.
Then Google, Android is Linux Kernel, but it isn't pure, so it gets more of a free pass.

But to the point of this tribalism. We are celebrating others problems, while ignoring our own. Even if this problem is fairly minor, or even if it isn't, but treated in a timely method. We can Yell THEY SUCK!. While our side, who didn't make the news this week and say WE RULE!.

While the better response to Apples/Microsoft/Googles... Problems is to go back and Check your system to make sure such a problem isn't in your system, or has a tangential problem. Apple's OS X being Unix based, may have similar flaws in Linux or Android, because while it is a different code based, the two OS's are designed to follow similar specifications.

We have similar problems with Politics. An idea is good or bad based on if it was proposed by a R or an D. We are no longer focusing on the problem, just the person or company talking about it.

Re:

[DontBeAMoran]

I see each operating system as being the best for specific scenarios:
- macOS for desktop (no need to worry about KDE vs Gnome, ALSA vs whatever, etc).
- Linux/BSD for servers (from the smallest to the biggest).
- Windows for gaming and enterprise users.

Re:SNAFU?

[BronsCon]

Already checked all 4 Macs in my home to ensure they don't suffer from this. Twice now. And I think it sucks that I had to do that. What's your point?

That doesn't make Windows security suck any less, and it doesn't make the inability of Linux to run many industry-standard (depending on your industry) applications suck any less.

The truth is, all platforms suck; they all just suck at different things and in different ways. Pick the one that sucks the least for what you want/need to do and use it. Most of us here probably actually use all three major computing platforms on a regular basis, as well as both major mobile platforms, so of course you see a lot of have for all of them. Because they all suck.

Re:

[jellomizer]

Well did you check your Windows and Linux boxes for this problem?
Or to the more detail point, have to validated the code, to see if something could be set to cause this. (A mislabeled "def" precompile operative?)
I was around during the time when the buffer overflow bug was found. So the first major attack was on the Unix LPR protocol. If you wern't using Unix LPR then you were all good right? No, because there was mountains of code in all different systems that could be hacked via a buffer overflow, beca

Re:

[BronsCon]

Well did you check your Windows and Linux boxes for this problem?

This exact problem? No, because Windows doesn't have a root account (or user-accessible equivalent) and my Linux systems don't implement any sort of account management into their login systems.

This is precisely the sort of bug that shouldn't be able to exist; a failed login should increment a counter and update a timestamp, the value of the counter and timestamp shouldn't come into play until the correct password is entered, at which point it should fail as though an incorrect password was entered if ther

Re:

[TheRaven64]

I'm not sure. This is really a local privilege escalation vulnerability. These are bad, but they're also not uncommon. I can't remember a single OS X / macOS security update that that didn't fix at least one of these (especially since Google's Project Zero started looking for them). The big difference for this one is that it's easy to explain to a non-technical user.

Re:

[omnichad]

Absolutely fits. Not just for OS X and iOS where even the first point release is still too buggy to bother with on a new version, but also for their products in general where they pretend major flaws like swelling batteries don't exist.

Re:

[Ol Olsoc]

This is definitely huge blunder, but a SNAFU? Because it stands for "Situation Normal - All Fucked Up" and implies something happens all the time, which is not the case here. Sure, the FaceID debacle happened relatively recently, but these kinds of security fuck-ups are a regular thing even for Apple.

Situation normal whataboutism runs rampant.

The same people who seem to have Stockholm syndrome about their Windows machines problems will suffer premature ejaculation over a Mac problem.

Having both OSs , this issue notwithstanding, MacOS is a lot safer.

Now I do have a few issues with High Sierra, the ease with which you could encrypt an external drive like say a thumbdrive has changed from utter simplicity to a major "What the flaming hell?" is one, but compared with the Windows 10 update mess, wh

Re:

[DontBeAMoran]

You want to hear about how annoying Windows 10 can be?

Last week-end I went to a LAN party to play games with friends. Upon installing a new game I had to reboot. Rebooting took much longer than usual and I immediately knew something was wrong. After a few minutes, Windows finally decided to let me know, the puny owner of the computer in question, that it was busy installing the "Falls Creators Update" or whatever the fuck that was.

I ended up waiting over one hour for this fucking unwanted update to finish.

W

Re:

[whoever57]

The fucking idiots at Microsoft have no clue how people use their computers.

No, they just have a difference of opinion with you over who owns the computer.

Re:

[Ol Olsoc]

Why couldn't Windows ASK ME if it was a good time to install this shit? Unbelievable. The fucking idiots at Microsoft have no clue how people use their computers.

Exactly - todays insane Windows experience in action. I had a choice on when to update to this latest so called creators update, but not always. Its like some kind of random process. And looks like they reinstall the entire

Have you had any programs or drivers uninstalled or changed yet? I have a Software Defined Radio that uses ethernet router or direct ethernet to connect to my computer. It has digital audio exchange so that you don't need separate audio cables as well as a virtual serial port (some du

Re:

[Dragonslicer]

This is definitely huge blunder, but a SNAFU? Because it stands for "Situation Normal - All Fucked Up" and implies something happens all the time, which is not the case here.

Eh, that ship sailed years ago. On the other hand,

It now transpires that the bug fix has a bug of its own.

WTF?

Jony Ive's marketing team

[Anonymous Coward]

must have done the fixed in between emoji design meetings.

All Major Tech Companies Have These Moments

[Oswald McWeany]

This for Apple is what the burning batteries was for Samsung.

You're pretty much guaranteed to make a major snafu every once in a while if you're a big tech company. The scary thing is when a snafu occurs when controlling a power plant, or a weapons system, or something that could be used as a weapon.

As long as it's just phones and laptops we're OK.

Re:

[Thanatiel]

Tell me that next time your laptop or phones catch fires, hopefully when your are not asleep.

Non story

[Anonymous Coward]

Of course if you upgrade to 10.13.1 it will remove the patch, the patch doesn't exist in that version and it is a full update, not a delta. Shortly after the upgrade it will download and apply the patch to 10.13.1.

Re:

[Antique Geekmeister]

That does create a window of opportunity. It's a window that could be detected by many external firewalls, which monitor web traffic as a matter of course and could detect the Apple update download.

Re:

[Known Nutter]

I'm pretty sure the macOS "root bug" requires physical access to the machine.

Re:

[BronsCon]

If it's already been set up (e.g. a non-admin user has failed to elevate to root 3 times), I've heard reports that this bug does also allow remote connection to AFP shares, SSH, and remote access if those are enabled. I don't have an unpatched machine on hand in order to test, so I'm simply relaying. If you have an unpatched machine, you can verify it yourself; if not, I suppose it doesn't really matter.

Re:

[Nutria]

Isn't the "work around" to just have a root password (which there should be anyway)?

And then the patch is re-applied

[Archon]

And then within 24 hours Security Update 2017-001 is auto applied if not manually done so earlier.

Re:

[Bing Tsher E]

So that 24 hour window is no problem.

Are there any third-party web-pages that are out there with links, recommending 'upgrade to the new MacOS 10.13.1' that have ads displayed on them? I would like to purchase some ads.

Re:

[Archon]

No, this is still a huge fuckup.

- deploy OS updates w/root bug
- release 20017-01 security patch that fixes root bug but introduces Kerberos authentication bug ...root issue not fixed until machine is rebooted, which is neither documented or forced by the update
- release KB that provides instructions for manually fixing Kerberos bug by entering terminal command
- patch the 2017-01 security patch to not introduce Kerberos bug ...no documentation or version upgrading of the patch to denote changes

And now... ...

Big deal

[110010001000]

Not sure who this "Root" guy is, but I always login with my iCloud username. Everyone knows iCloud is safe.

Just stop nagging to upgrade please

[mattr]

I would like Apple to stop nagging me to upgrade to High Sierra via notifications. I am deathly afraid of clicking by accident. It is seldom that a Mac operating system upgrade soon after its launch goes well for the hapless end user. I'm sure I will do it some time, after I feel really good about my backup system and have no critical business scheduled. But when I invested in this MacBook Pro I felt it would last me 5-10 years as-is. Something closer to ZFS is great but not worth the aggravation that the Apple user is GUARANTEED to get if they upgrade soon after it comes out. Let some other early adopters become roadkill and just sit back and let the fireworks die down for a year. Some of us can't afford to be experimented on.

Re:

[TheRaven64]

I am deathly afraid of clicking by accident

You are easily frightened. If you click on most of it, it will launch the app store and show you a big banner telling you how awesome Apple thinks High Sierra is. If you click on the 'later' button, it will go away and bug you later. If you click on the 'install' button, it will launch the installer, which will then give you an option to cancel the installation. Which one of these possible outcomes causes a reaction of deathly fear?

Re:

[antdude]

It's like Microsoft. I also would like Apple and others to stop nagging about logging in to get updates so often. Stop please!

Not the biggest issue with 10.13

[omnichad]

I had a customer with an older Macbook Pro, for whom updating to 10.13 overwrote her boot partition with the 10.13 recovery partition - then froze dead in its tracks leaving the laptop unbootable. All her files that weren't overwritten had to be recovered by signature through Photorec.

I put in a brand new hard drive (the drive was starting to fail), and installed Sierra. Updating to 10.13 (High Sierra) did the same thing again.

Only resetting the PRAM solved it. I can't really even make sense of why that

"We need a patch by COB today!"

[Chelloveck]

So, what you're saying is that when you rush out a patch, the development and QA processes suffer? The hell you say. No one could have predicted *that*.

Sometimes you have to say "Make it work for the most common case *now* and we'll pick up anything we missed later.

99 bugs

[stealth_finger]

99 little bugs in the code
99 little bugs in the code
Take one down, pass it around
117 little bugs in the code

Already Fixed in Update

[TheFakeTimCook]

While this bug has not been patched in the 10.13.1 Update, it has been patched once-and-for-all in the upcoming 10.13.2 Update, now in Beta Testing.

Those who Install 10.13.1 simply need to re-run the current version of the "root access" Security Update, and all will be well.

Just some overlapping package-release timing stuff, exacerbated by Apple's desire to patch the original vulnerability as quickly as possible.

Obsolete?

[Anonymous Coward]

Thanks, Apple, for labelling my old Mac Mini as obsolete, so I do not have to deal with this crap.

It's a......

[MerlTurkin]

FEATURE!