Slashdot Mirror
Apple Snafu Means Updating To macOS 10.13.1 Could Reactivate Root Access Bug (betanews.com)
Mark Wilson writes: A few days ago, a serious security flaw with macOS High Sierra came to light. It was discovered that it was possible to log into the 'root' account without entering a password, and -- although the company seemed to have been alerted to the issue a couple of weeks back -- praise was heaped on Apple for pushing a fix out of the door quickly. But calm those celebrations. It now transpires that the bug fix has a bug of its own. Upgrade to macOS 10.13.1 and you could well find that the patch is undone. Slow hand clap.
"My slowclap processor made it into this thing." -GLaDOS
...They released the patch but forgot to apply to last available version? I can see no problem there.
must have done the fixed in between emoji design meetings.
This for Apple is what the burning batteries was for Samsung.
You're pretty much guaranteed to make a major snafu every once in a while if you're a big tech company. The scary thing is when a snafu occurs when controlling a power plant, or a weapons system, or something that could be used as a weapon.
As long as it's just phones and laptops we're OK.
"That's the way to do it" - Punch
You know, I'm thinking you may be taking this just a bit too personally. I recommend you take less offense on behalf of a major corporation. Remember, Apple doesn't care about you, or your family. A trait no specific to Apple, but common among all corporations.
This is definitely huge blunder, but a SNAFU? Because it stands for "Situation Normal - All Fucked Up" and implies something happens all the time, which is not the case here. Sure, the FaceID debacle happened relatively recently, but these kinds of security fuck-ups are a regular thing even for Apple.
Oh and before someone starts compiling a list of security screw-ups going back to the 80s, one or two legitimate screw-ups every few years are hardly "situation normal" type scenario.
This is the second time the same root-access bug has reared its ugly head IN THE LAST WEEK.
"SNAFU" seems quite apropos.
Of course if you upgrade to 10.13.1 it will remove the patch, the patch doesn't exist in that version and it is a full update, not a delta. Shortly after the upgrade it will download and apply the patch to 10.13.1.
it wasn't about the facts, it was about supplementing the headline with some clickbait
I work for the Department of Redundancy Department.
And then within 24 hours Security Update 2017-001 is auto applied if not manually done so earlier.
Not sure who this "Root" guy is, but I always login with my iCloud username. Everyone knows iCloud is safe.
This is definitely huge blunder, but a SNAFU? Because it stands for "Situation Normal - All Fucked Up" and implies something happens all the time, which is not the case here.
That's the origin, all right; however, since surfacing in WWII it's morphed from an acronym to a noun that means "a badly confused or ridiculously muddled situation". Seems appropriate in this case.
I can safely assume that Apple's programmers are either incompetent, lazy, or a combination of both. No excuse for this crap.
I would like Apple to stop nagging me to upgrade to High Sierra via notifications. I am deathly afraid of clicking by accident. It is seldom that a Mac operating system upgrade soon after its launch goes well for the hapless end user. I'm sure I will do it some time, after I feel really good about my backup system and have no critical business scheduled. But when I invested in this MacBook Pro I felt it would last me 5-10 years as-is. Something closer to ZFS is great but not worth the aggravation that the Apple user is GUARANTEED to get if they upgrade soon after it comes out. Let some other early adopters become roadkill and just sit back and let the fireworks die down for a year. Some of us can't afford to be experimented on.
There is a hatred of Apple, actually there is a bigger set of tribalism in general in our communities. Being Slashdot being a strong Linux tribe, this means Microsoft and Apple, who are not Linux systems will get hate.
Being Linux is free and open source, there is a general tribal dislike of capitalism and large companies.
So Microsoft is the worse, Not Linux, big company, closed source, not based on open standards.
Then Apple, (iOS and OSX are based on Unix which has simular standard to Linux) is slightly better liked than Microsoft.
Then Google, Android is Linux Kernel, but it isn't pure, so it gets more of a free pass.
But to the point of this tribalism. We are celebrating others problems, while ignoring our own. Even if this problem is fairly minor, or even if it isn't, but treated in a timely method. We can Yell THEY SUCK!. While our side, who didn't make the news this week and say WE RULE!.
While the better response to Apples/Microsoft/Googles... Problems is to go back and Check your system to make sure such a problem isn't in your system, or has a tangential problem. Apple's OS X being Unix based, may have similar flaws in Linux or Android, because while it is a different code based, the two OS's are designed to follow similar specifications.
We have similar problems with Politics. An idea is good or bad based on if it was proposed by a R or an D. We are no longer focusing on the problem, just the person or company talking about it.
If something is so important that you feel the need to post it on the internet... It probably isn't that important.
I'm not sure. This is really a local privilege escalation vulnerability. These are bad, but they're also not uncommon. I can't remember a single OS X / macOS security update that that didn't fix at least one of these (especially since Google's Project Zero started looking for them). The big difference for this one is that it's easy to explain to a non-technical user.
I am TheRaven on Soylent News
Absolutely fits. Not just for OS X and iOS where even the first point release is still too buggy to bother with on a new version, but also for their products in general where they pretend major flaws like swelling batteries don't exist.
This is definitely huge blunder, but a SNAFU? Because it stands for "Situation Normal - All Fucked Up" and implies something happens all the time, which is not the case here. Sure, the FaceID debacle happened relatively recently, but these kinds of security fuck-ups are a regular thing even for Apple.
Situation normal whataboutism runs rampant.
The same people who seem to have Stockholm syndrome about their Windows machines problems will suffer premature ejaculation over a Mac problem.
Having both OSs , this issue notwithstanding, MacOS is a lot safer.
Now I do have a few issues with High Sierra, the ease with which you could encrypt an external drive like say a thumbdrive has changed from utter simplicity to a major "What the flaming hell?" is one, but compared with the Windows 10 update mess, where it seeminlgy randomly uninstalls operating drivers and replaces them with non-operating drivers of it's own, Apple remains the winner.
My biggest issue is that upon update, My Final Cut Studio and Sound programs were no longer operational. I have to spend th ebucks to get new versions. Apparently shows the proof that you only rent software when perfectly functioning software doesn't function any more. as an improvement. I think we are in an age of decreasing computer function however.
The shepherds did so well protecting the flock that the sheep no longer believed that wolves existed.
This is definitely huge blunder, but a SNAFU? Because it stands for "Situation Normal - All Fucked Up" and implies something happens all the time, which is not the case here.
That's the origin, all right; however, since surfacing in WWII it's morphed from an acronym to a noun that means "a badly confused or ridiculously muddled situation". Seems appropriate in this case.
To the point where it has become a SNAFU, amirite?
The shepherds did so well protecting the flock that the sheep no longer believed that wolves existed.
I had a customer with an older Macbook Pro, for whom updating to 10.13 overwrote her boot partition with the 10.13 recovery partition - then froze dead in its tracks leaving the laptop unbootable. All her files that weren't overwritten had to be recovered by signature through Photorec.
I put in a brand new hard drive (the drive was starting to fail), and installed Sierra. Updating to 10.13 (High Sierra) did the same thing again.
Only resetting the PRAM solved it. I can't really even make sense of why that was required or why that worked.
I see each operating system as being the best for specific scenarios:
- macOS for desktop (no need to worry about KDE vs Gnome, ALSA vs whatever, etc).
- Linux/BSD for servers (from the smallest to the biggest).
- Windows for gaming and enterprise users.
#DeleteFacebook
You want to hear about how annoying Windows 10 can be?
Last week-end I went to a LAN party to play games with friends. Upon installing a new game I had to reboot. Rebooting took much longer than usual and I immediately knew something was wrong. After a few minutes, Windows finally decided to let me know, the puny owner of the computer in question, that it was busy installing the "Falls Creators Update" or whatever the fuck that was.
I ended up waiting over one hour for this fucking unwanted update to finish.
What if it decided to start this shit when I tried to shutdown the computer instead? It says not to power down the PC while it's doing the upgrade so I would have had to leave my PC at my friend's place... what if I lived hours away and only go there once a month?
Why couldn't Windows ASK ME if it was a good time to install this shit? Unbelievable. The fucking idiots at Microsoft have no clue how people use their computers.
#DeleteFacebook
So, what you're saying is that when you rush out a patch, the development and QA processes suffer? The hell you say. No one could have predicted *that*.
Sometimes you have to say "Make it work for the most common case *now* and we'll pick up anything we missed later.
Chelloveck
I give up on debugging. From now on, SIGSEGV is a feature.
Sure, but at least we're not niqgers.
I see each operating system as being the best for specific scenarios:
- macOS for desktop (no need to worry about KDE vs Gnome, ALSA vs whatever, etc).
- Linux/BSD for servers (from the smallest to the biggest).
- Windows for gaming and enterprise users.
Except Linux memory management sucks. OOM killer?!?!? WTF?!?! The OS can't guarantee your memory? You asked for some and it's not really there? What braindead fool came up with that?!! Way to aim for nine 5s of availability... And if you drive a Linux box into hard swapping you pretty much have to reboot it - it'll be dainbramaged after it comes back.
Solaris is much, much better. Too damn bad Oracle killed it. (And if you call it "SlowWalrus" you need to go back to playing on your toy computers...)
99 little bugs in the code
99 little bugs in the code
Take one down, pass it around
117 little bugs in the code
Wanna buy a shirt?
https://www.redbubble.com/people/stealthfinger/shop?asc=u
Already checked all 4 Macs in my home to ensure they don't suffer from this. Twice now. And I think it sucks that I had to do that. What's your point?
That doesn't make Windows security suck any less, and it doesn't make the inability of Linux to run many industry-standard (depending on your industry) applications suck any less.
The truth is, all platforms suck; they all just suck at different things and in different ways. Pick the one that sucks the least for what you want/need to do and use it. Most of us here probably actually use all three major computing platforms on a regular basis, as well as both major mobile platforms, so of course you see a lot of have for all of them. Because they all suck.
APK quotes people (including myself) without context and should not be trusted. Just thought you should know.
No, they just have a difference of opinion with you over who owns the computer.
The real "Libtards" are the Libertarians!
In fact MsMash is sucking dick for dope..
bEaUhd is this your only sexual outlet???
plug your dick in the wall, get more out of it and it';s safer fro,m an STD perspective
Why couldn't Windows ASK ME if it was a good time to install this shit? Unbelievable. The fucking idiots at Microsoft have no clue how people use their computers.
Exactly - todays insane Windows experience in action. I had a choice on when to update to this latest so called creators update, but not always. Its like some kind of random process. And looks like they reinstall the entire
Have you had any programs or drivers uninstalled or changed yet? I have a Software Defined Radio that uses ethernet router or direct ethernet to connect to my computer. It has digital audio exchange so that you don't need separate audio cables as well as a virtual serial port (some dumbass legacy from old computer to radio control systems that they can't get away from. Pretty neat, a server with an RF front end.
I have a Windows 7 machine on which it all works perfectly, never a problem. My Windows 10 computer breaks the software on every update, necessitating me to use Revo to dig everything out of it and reinstall, then it works perfectly until the next update. For some reason, Windows refuses to play nicely with the driver, asserts authority, and boom, it quits working.
The shepherds did so well protecting the flock that the sheep no longer believed that wolves existed.
While this bug has not been patched in the 10.13.1 Update, it has been patched once-and-for-all in the upcoming 10.13.2 Update, now in Beta Testing.
Those who Install 10.13.1 simply need to re-run the current version of the "root access" Security Update, and all will be well.
Just some overlapping package-release timing stuff, exacerbated by Apple's desire to patch the original vulnerability as quickly as possible.
Thanks, Apple, for labelling my old Mac Mini as obsolete, so I do not have to deal with this crap.
This is about the prior release of macOS. Slashdot now sees stories weeks after mainstream media.
Weak.
Well did you check your Windows and Linux boxes for this problem?
Or to the more detail point, have to validated the code, to see if something could be set to cause this. (A mislabeled "def" precompile operative?)
I was around during the time when the buffer overflow bug was found. So the first major attack was on the Unix LPR protocol. If you wern't using Unix LPR then you were all good right? No, because there was mountains of code in all different systems that could be hacked via a buffer overflow, because at the time, security was controlled by the UI, and a buffer overflow wasn't considered a security risk, but just a software reliability risk.
When ever a new problem or hack gets out, it should be investigated across many systems, because its nature may effect something else.
If something is so important that you feel the need to post it on the internet... It probably isn't that important.
Well did you check your Windows and Linux boxes for this problem?
This exact problem? No, because Windows doesn't have a root account (or user-accessible equivalent) and my Linux systems don't implement any sort of account management into their login systems.
This is precisely the sort of bug that shouldn't be able to exist; a failed login should increment a counter and update a timestamp, the value of the counter and timestamp shouldn't come into play until the correct password is entered, at which point it should fail as though an incorrect password was entered if there have been X failures in Y minutes (where X and Y are determined by the user). Last I checked, macOS doesn't even have a failed login lockout feature (server used to, but desktop does not), so it's not even plausible to say there's a bug in that implementation -- there is no implementation of that to get wrong!
But that still doesn't take away from my point, which is that all of the current platforms suck in one way or another.
APK quotes people (including myself) without context and should not be trusted. Just thought you should know.
This is definitely huge blunder, but a SNAFU? Because it stands for "Situation Normal - All Fucked Up" and implies something happens all the time, which is not the case here.
Eh, that ship sailed years ago. On the other hand,
It now transpires that the bug fix has a bug of its own.
WTF?
You already had to be logged into the machine. The only times this is a security problem is when you lend your machine to someone else, allow someone a remote access or the computer belongs to your company and they do not trust you with admin rights.
Of cause it is bad, but it is not a fatal problem and it is not the first time an OS has has a local root exploit due to a "feature".
Turn off check for updates then.
In 10.12.6 , it's system preferences, app store icon. Un-check "Automatically check for updates"
You can still check manually - just open the app store, and click on the updates icon at the top. It's much less annoying than their "choose between going to look at this or doing it" moronic notification.
--fyngyrz
anon due to mod points and clueless slashdot policies
Itâ(TM)s just the same bug in two places.
Yes that's what he said: This is the second time the same root-access bug has reared its ugly head IN THE LAST WEEK.
FEATURE!
Already checked all 4 Macs in my home to ensure they don't suffer from this. Twice now. +
You had to check twice if you had applied the security patch on any machine running 13.0.x and then updated it to 13.1? Twice? You know, that sounds exactly like you.