Apple Snafu Means Updating To macOS 10.13.1 Could Reactivate Root Access Bug

Mark Wilson writes: A few days ago, a serious security flaw with macOS High Sierra came to light. It was discovered that it was possible to log into the 'root' account without entering a password, and -- although the company seemed to have been alerted to the issue a couple of weeks back -- praise was heaped on Apple for pushing a fix out of the door quickly. But calm those celebrations. It now transpires that the bug fix has a bug of its own. Upgrade to macOS 10.13.1 and you could well find that the patch is undone. Slow hand clap.

Re:And then the patch is re-applied

[Archon]

No, this is still a huge fuckup.

- deploy OS updates w/root bug
- release 20017-01 security patch that fixes root bug but introduces Kerberos authentication bug ...root issue not fixed until machine is rebooted, which is neither documented or forced by the update
- release KB that provides instructions for manually fixing Kerberos bug by entering terminal command
- patch the 2017-01 security patch to not introduce Kerberos bug ...no documentation or version upgrading of the patch to denote changes

And now... ...updating to 10.13.1 if previously on 10.13.0 would re-instance root bug ...2017-01 security patch applied automatically but again it doesn't force a reboot ...users who update to 10.13.1 left unprotected until patch applied & Mac manually rebooted

A shit show.