Apple Snafu Means Updating To macOS 10.13.1 Could Reactivate Root Access Bug

Mark Wilson writes: A few days ago, a serious security flaw with macOS High Sierra came to light. It was discovered that it was possible to log into the 'root' account without entering a password, and -- although the company seemed to have been alerted to the issue a couple of weeks back -- praise was heaped on Apple for pushing a fix out of the door quickly. But calm those celebrations. It now transpires that the bug fix has a bug of its own. Upgrade to macOS 10.13.1 and you could well find that the patch is undone. Slow hand clap.

Root access - need poppers

Anyone tried this recipe?

Oh good..

[HumanWiki]

"My slowclap processor made it into this thing." -GLaDOS

Re:Oh good..

[fuzzyf]

That one made me laugh :)

Wish I had modpoints. That is a clear +1 Funny in my book.
Maybe I should fire opp Portal again. Been a long time since I played it.

Re:Oh good..

[HumanWiki]

Now here we are again..
It's always such a pleasure..
Remember when you tried to mod, me once..

Re:Oh good..

[fuzzyf]

I'm terrible sorry but I can't quite place you
Hoping it wasn't that one time where I modded a post "Overrated" by mistake? I think I posted afterwards to cancel that mod

Anyway... I really liked the quote from Portal :) Thank you very much for that one!

Re: Oh good..

[HumanWiki]

You're fine. I was singing out the ending song to Portal 2 with regard to your wishing you had the ability to mod my post. Guess it wasn't as funny as the first.

Re: Oh good..

[fuzzyf]

lol :)
It's been quite some time since I played Portal 2 so I didn't remember that one at all. Probably means it will be really fun to play it again :)

SNAFU?

[The+Cynical+Critic]

This is definitely huge blunder, but a SNAFU? Because it stands for "Situation Normal - All Fucked Up" and implies something happens all the time, which is not the case here. Sure, the FaceID debacle happened relatively recently, but these kinds of security fuck-ups are a regular thing even for Apple.

Oh and before someone starts compiling a list of security screw-ups going back to the 80s, one or two legitimate screw-ups every few years are hardly "situation normal" type scenario.

Re:SNAFU?

This is not a comment thread to discuss your homosexuality. I'm not judging you its just that you should take that somewhere else. This is a tech web site.

Re:SNAFU?

You know, I'm thinking you may be taking this just a bit too personally. I recommend you take less offense on behalf of a major corporation. Remember, Apple doesn't care about you, or your family. A trait no specific to Apple, but common among all corporations.

Re:SNAFU?

This is definitely huge blunder, but a SNAFU? Because it stands for "Situation Normal - All Fucked Up" and implies something happens all the time, which is not the case here. Sure, the FaceID debacle happened relatively recently, but these kinds of security fuck-ups are a regular thing even for Apple.

Oh and before someone starts compiling a list of security screw-ups going back to the 80s, one or two legitimate screw-ups every few years are hardly "situation normal" type scenario.

This is the second time the same root-access bug has reared its ugly head IN THE LAST WEEK.

"SNAFU" seems quite apropos.

Re:SNAFU?

[v1]

it wasn't about the facts, it was about supplementing the headline with some clickbait

Re:SNAFU?

Hey man, lick my clean shaven balls!
 
GP makes a pertinent point. The "editors" here are lousy fakes at that. Slashdot is a front purchased to push a political agenda. All the "editors" do not even come CLOSE to passing as such.
 
EditorDavid or Miss Mash used "cutesy" in the previous summary. How journalistic is that? This is a geek news site. Summaries and titles should be written well above a fourth grade reading level, not well below it.

Re:SNAFU?

[tsqr]

This is definitely huge blunder, but a SNAFU? Because it stands for "Situation Normal - All Fucked Up" and implies something happens all the time, which is not the case here.

That's the origin, all right; however, since surfacing in WWII it's morphed from an acronym to a noun that means "a badly confused or ridiculously muddled situation". Seems appropriate in this case.

Re:SNAFU?

[jellomizer]

There is a hatred of Apple, actually there is a bigger set of tribalism in general in our communities. Being Slashdot being a strong Linux tribe, this means Microsoft and Apple, who are not Linux systems will get hate.
Being Linux is free and open source, there is a general tribal dislike of capitalism and large companies.
So Microsoft is the worse, Not Linux, big company, closed source, not based on open standards.
Then Apple, (iOS and OSX are based on Unix which has simular standard to Linux) is slightly better liked than Microsoft.
Then Google, Android is Linux Kernel, but it isn't pure, so it gets more of a free pass.

But to the point of this tribalism. We are celebrating others problems, while ignoring our own. Even if this problem is fairly minor, or even if it isn't, but treated in a timely method. We can Yell THEY SUCK!. While our side, who didn't make the news this week and say WE RULE!.

While the better response to Apples/Microsoft/Googles... Problems is to go back and Check your system to make sure such a problem isn't in your system, or has a tangential problem. Apple's OS X being Unix based, may have similar flaws in Linux or Android, because while it is a different code based, the two OS's are designed to follow similar specifications.

We have similar problems with Politics. An idea is good or bad based on if it was proposed by a R or an D. We are no longer focusing on the problem, just the person or company talking about it.

Re:SNAFU?

[TheRaven64]

I'm not sure. This is really a local privilege escalation vulnerability. These are bad, but they're also not uncommon. I can't remember a single OS X / macOS security update that that didn't fix at least one of these (especially since Google's Project Zero started looking for them). The big difference for this one is that it's easy to explain to a non-technical user.

Re:SNAFU?

[omnichad]

Absolutely fits. Not just for OS X and iOS where even the first point release is still too buggy to bother with on a new version, but also for their products in general where they pretend major flaws like swelling batteries don't exist.

Re:SNAFU?

[Ol+Olsoc]

This is definitely huge blunder, but a SNAFU? Because it stands for "Situation Normal - All Fucked Up" and implies something happens all the time, which is not the case here. Sure, the FaceID debacle happened relatively recently, but these kinds of security fuck-ups are a regular thing even for Apple.

Situation normal whataboutism runs rampant.

The same people who seem to have Stockholm syndrome about their Windows machines problems will suffer premature ejaculation over a Mac problem.

Having both OSs , this issue notwithstanding, MacOS is a lot safer.

Now I do have a few issues with High Sierra, the ease with which you could encrypt an external drive like say a thumbdrive has changed from utter simplicity to a major "What the flaming hell?" is one, but compared with the Windows 10 update mess, where it seeminlgy randomly uninstalls operating drivers and replaces them with non-operating drivers of it's own, Apple remains the winner.

My biggest issue is that upon update, My Final Cut Studio and Sound programs were no longer operational. I have to spend th ebucks to get new versions. Apparently shows the proof that you only rent software when perfectly functioning software doesn't function any more. as an improvement. I think we are in an age of decreasing computer function however.

Re:SNAFU?

I'm sorry to hear that you have AIDS, however this is not the appropriate forum to discuss potential treatments. Kindly search Google for something that better meets your needs.

Re:SNAFU?

[Ol+Olsoc]

This is definitely huge blunder, but a SNAFU? Because it stands for "Situation Normal - All Fucked Up" and implies something happens all the time, which is not the case here.

That's the origin, all right; however, since surfacing in WWII it's morphed from an acronym to a noun that means "a badly confused or ridiculously muddled situation". Seems appropriate in this case.

To the point where it has become a SNAFU, amirite?

Re:SNAFU?

[DontBeAMoran]

I see each operating system as being the best for specific scenarios:
- macOS for desktop (no need to worry about KDE vs Gnome, ALSA vs whatever, etc).
- Linux/BSD for servers (from the smallest to the biggest).
- Windows for gaming and enterprise users.

Re:SNAFU?

[DontBeAMoran]

You want to hear about how annoying Windows 10 can be?

Last week-end I went to a LAN party to play games with friends. Upon installing a new game I had to reboot. Rebooting took much longer than usual and I immediately knew something was wrong. After a few minutes, Windows finally decided to let me know, the puny owner of the computer in question, that it was busy installing the "Falls Creators Update" or whatever the fuck that was.

I ended up waiting over one hour for this fucking unwanted update to finish.

What if it decided to start this shit when I tried to shutdown the computer instead? It says not to power down the PC while it's doing the upgrade so I would have had to leave my PC at my friend's place... what if I lived hours away and only go there once a month?

Why couldn't Windows ASK ME if it was a good time to install this shit? Unbelievable. The fucking idiots at Microsoft have no clue how people use their computers.

Re: SNAFU?

Sure, but at least we're not niqgers.

Re:SNAFU?

I see each operating system as being the best for specific scenarios:
- macOS for desktop (no need to worry about KDE vs Gnome, ALSA vs whatever, etc).
- Linux/BSD for servers (from the smallest to the biggest).
- Windows for gaming and enterprise users.

Except Linux memory management sucks. OOM killer?!?!? WTF?!?! The OS can't guarantee your memory? You asked for some and it's not really there? What braindead fool came up with that?!! Way to aim for nine 5s of availability... And if you drive a Linux box into hard swapping you pretty much have to reboot it - it'll be dainbramaged after it comes back.

Solaris is much, much better. Too damn bad Oracle killed it. (And if you call it "SlowWalrus" you need to go back to playing on your toy computers...)

Re:SNAFU?

[BronsCon]

Already checked all 4 Macs in my home to ensure they don't suffer from this. Twice now. And I think it sucks that I had to do that. What's your point?

That doesn't make Windows security suck any less, and it doesn't make the inability of Linux to run many industry-standard (depending on your industry) applications suck any less.

The truth is, all platforms suck; they all just suck at different things and in different ways. Pick the one that sucks the least for what you want/need to do and use it. Most of us here probably actually use all three major computing platforms on a regular basis, as well as both major mobile platforms, so of course you see a lot of have for all of them. Because they all suck.

Re:SNAFU?

[whoever57]

The fucking idiots at Microsoft have no clue how people use their computers.

No, they just have a difference of opinion with you over who owns the computer.

Re: SNAFU?

No, it was once for a root escalation bug and once for improper patch management or regression testing.

Itâ(TM)s just the same bug in two places.

Re:SNAFU?

We have similar problems with Politics. An idea is good or bad based on if it was proposed by a R or an D. We are no longer focusing on the problem, just the person or company talking about it.

We have similar problems with Politics. An idea is good or bad based on if it was proposed by a Retard or a Dipshit. We are no longer focusing on the problem, just the person or company talking about it.

There, FTFY.

Re:SNAFU?

[Ol+Olsoc]

Why couldn't Windows ASK ME if it was a good time to install this shit? Unbelievable. The fucking idiots at Microsoft have no clue how people use their computers.

Exactly - todays insane Windows experience in action. I had a choice on when to update to this latest so called creators update, but not always. Its like some kind of random process. And looks like they reinstall the entire

Have you had any programs or drivers uninstalled or changed yet? I have a Software Defined Radio that uses ethernet router or direct ethernet to connect to my computer. It has digital audio exchange so that you don't need separate audio cables as well as a virtual serial port (some dumbass legacy from old computer to radio control systems that they can't get away from. Pretty neat, a server with an RF front end.

I have a Windows 7 machine on which it all works perfectly, never a problem. My Windows 10 computer breaks the software on every update, necessitating me to use Revo to dig everything out of it and reinstall, then it works perfectly until the next update. For some reason, Windows refuses to play nicely with the driver, asserts authority, and boom, it quits working.

Re:SNAFU?

[jellomizer]

Well did you check your Windows and Linux boxes for this problem?
Or to the more detail point, have to validated the code, to see if something could be set to cause this. (A mislabeled "def" precompile operative?)
I was around during the time when the buffer overflow bug was found. So the first major attack was on the Unix LPR protocol. If you wern't using Unix LPR then you were all good right? No, because there was mountains of code in all different systems that could be hacked via a buffer overflow, because at the time, security was controlled by the UI, and a buffer overflow wasn't considered a security risk, but just a software reliability risk.
When ever a new problem or hack gets out, it should be investigated across many systems, because its nature may effect something else.

Re:SNAFU?

[BronsCon]

Well did you check your Windows and Linux boxes for this problem?

This exact problem? No, because Windows doesn't have a root account (or user-accessible equivalent) and my Linux systems don't implement any sort of account management into their login systems.

This is precisely the sort of bug that shouldn't be able to exist; a failed login should increment a counter and update a timestamp, the value of the counter and timestamp shouldn't come into play until the correct password is entered, at which point it should fail as though an incorrect password was entered if there have been X failures in Y minutes (where X and Y are determined by the user). Last I checked, macOS doesn't even have a failed login lockout feature (server used to, but desktop does not), so it's not even plausible to say there's a bug in that implementation -- there is no implementation of that to get wrong!

But that still doesn't take away from my point, which is that all of the current platforms suck in one way or another.

Re:SNAFU?

[Dragonslicer]

This is definitely huge blunder, but a SNAFU? Because it stands for "Situation Normal - All Fucked Up" and implies something happens all the time, which is not the case here.

Eh, that ship sailed years ago. On the other hand,

It now transpires that the bug fix has a bug of its own.

WTF?

Re: SNAFU?

Itâ(TM)s just the same bug in two places.

Yes that's what he said: This is the second time the same root-access bug has reared its ugly head IN THE LAST WEEK.

Re:SNAFU?

Already checked all 4 Macs in my home to ensure they don't suffer from this. Twice now. +

You had to check twice if you had applied the security patch on any machine running 13.0.x and then updated it to 13.1? Twice? You know, that sounds exactly like you.

So...

...They released the patch but forgot to apply to last available version? I can see no problem there.

Re:So...

You just have to reapply the patch. Big deal.

Jony Ive's marketing team

must have done the fixed in between emoji design meetings.

All Major Tech Companies Have These Moments

[Oswald+McWeany]

This for Apple is what the burning batteries was for Samsung.

You're pretty much guaranteed to make a major snafu every once in a while if you're a big tech company. The scary thing is when a snafu occurs when controlling a power plant, or a weapons system, or something that could be used as a weapon.

As long as it's just phones and laptops we're OK.

Re:All Major Tech Companies Have These Moments

[Thanatiel]

Tell me that next time your laptop or phones catch fires, hopefully when your are not asleep.

Re:All Major Tech Companies Have These Moments

This for Apple is what the burning batteries was for Samsung.

Not even close.
Samsung had to recall and reimburse all Note customers, they took a massive financial hit and a load of negative press and a major hit to their reputation of making solid reliable hardware.

What did this do to Apple ? Yeah they majorly fucked up, but financially it's not even a blip on their bottom line. They also got some negative press, but nowhere near the doom mongering over the exploding Samsungs.

Re:All Major Tech Companies Have These Moments

except that apple keeps fucking up software releases since jobs died... mainly because jobs would go "what is this? it's not good enough!, fix it and THEN you can release"

ever heard of the thousands of iLife 05 disks that got shredded because the drop shadows in suite's UI were inconsistent? jobs. stickler for details.

now, he wouldn't have caught this particular bug, but when apple actually HAD QA, it would have.

Non story

Of course if you upgrade to 10.13.1 it will remove the patch, the patch doesn't exist in that version and it is a full update, not a delta. Shortly after the upgrade it will download and apply the patch to 10.13.1.

Re:Non story

[Antique+Geekmeister]

That does create a window of opportunity. It's a window that could be detected by many external firewalls, which monitor web traffic as a matter of course and could detect the Apple update download.

Re:Non story

[Known+Nutter]

I'm pretty sure the macOS "root bug" requires physical access to the machine.

Re:Non story

[Nutria]

Isn't the "work around" to just have a root password (which there should be anyway)?

Re:Non story

[BronsCon]

If it's already been set up (e.g. a non-admin user has failed to elevate to root 3 times), I've heard reports that this bug does also allow remote connection to AFP shares, SSH, and remote access if those are enabled. I don't have an unpatched machine on hand in order to test, so I'm simply relaying. If you have an unpatched machine, you can verify it yourself; if not, I suppose it doesn't really matter.

Re:Non story

If it's already been set up (e.g. a non-admin user has failed to elevate to root 3 times), I've heard reports that this bug does also allow remote connection to AFP shares,

Aha, So? How could that apply to the scenario as described? Not at all.

And then the patch is re-applied

[Archon]

And then within 24 hours Security Update 2017-001 is auto applied if not manually done so earlier.

Re:And then the patch is re-applied

[Bing+Tsher+E]

So that 24 hour window is no problem.

Are there any third-party web-pages that are out there with links, recommending 'upgrade to the new MacOS 10.13.1' that have ads displayed on them? I would like to purchase some ads.

Re:And then the patch is re-applied

Mac OS updates complete by checking for any further updates, so a 24 hour window of vulnerability seems unlikely unless you choose not to apply the aforementioned security update. When I updated to 10.13.1, I was again shown the 2017-001 security update, which I reapplied.

Re:And then the patch is re-applied

[Archon]

No, this is still a huge fuckup.

- deploy OS updates w/root bug
- release 20017-01 security patch that fixes root bug but introduces Kerberos authentication bug ...root issue not fixed until machine is rebooted, which is neither documented or forced by the update
- release KB that provides instructions for manually fixing Kerberos bug by entering terminal command
- patch the 2017-01 security patch to not introduce Kerberos bug ...no documentation or version upgrading of the patch to denote changes

And now... ...updating to 10.13.1 if previously on 10.13.0 would re-instance root bug ...2017-01 security patch applied automatically but again it doesn't force a reboot ...users who update to 10.13.1 left unprotected until patch applied & Mac manually rebooted

A shit show.

Re:And then the patch is re-applied

10.13.1 was released prior to the security patch. You are trying to down grade and you are complaining that it is broken. You have shit for brains.

Re:And then the patch is re-applied

2017-01 security patch applied automatically but again it doesn't force a reboot ...users who update to 10.13.1 left unprotected until patch applied & Mac manually rebooted

A shit show.

Yeah, or it would be if the Security Update needed a reboot - which it doesn't.

Big deal

[110010001000]

Not sure who this "Root" guy is, but I always login with my iCloud username. Everyone knows iCloud is safe.

Re:Big deal

Holy shit are you funny! Keep eating the cheeseburgers, neckbeard. Soon you're get the big gripper. And we'll all be happier for it... including your parents.

Re:Big deal

Well, at least he is funnier than you.

At this point

I can safely assume that Apple's programmers are either incompetent, lazy, or a combination of both. No excuse for this crap.

Just stop nagging to upgrade please

[mattr]

I would like Apple to stop nagging me to upgrade to High Sierra via notifications. I am deathly afraid of clicking by accident. It is seldom that a Mac operating system upgrade soon after its launch goes well for the hapless end user. I'm sure I will do it some time, after I feel really good about my backup system and have no critical business scheduled. But when I invested in this MacBook Pro I felt it would last me 5-10 years as-is. Something closer to ZFS is great but not worth the aggravation that the Apple user is GUARANTEED to get if they upgrade soon after it comes out. Let some other early adopters become roadkill and just sit back and let the fireworks die down for a year. Some of us can't afford to be experimented on.

Re:Just stop nagging to upgrade please

[TheRaven64]

I am deathly afraid of clicking by accident

You are easily frightened. If you click on most of it, it will launch the app store and show you a big banner telling you how awesome Apple thinks High Sierra is. If you click on the 'later' button, it will go away and bug you later. If you click on the 'install' button, it will launch the installer, which will then give you an option to cancel the installation. Which one of these possible outcomes causes a reaction of deathly fear?

Re:Just stop nagging to upgrade please

There is no "later" option. You get two choices: update now, or go look at the update.

Best plan is to turn update checking off entirely off in preferences. You can still do it manually when you've of a mind to. Apple's notification policies are very unfriendly.

--fyngyrz

anon due to mod points and clueless slashdot policies

Re:Just stop nagging to upgrade please

[antdude]

It's like Microsoft. I also would like Apple and others to stop nagging about logging in to get updates so often. Stop please!

FiR5t post

standpoint, I don't a BSD box that very own 5hitter, fucking market need to join the Guys are usually writing is on the of OpenBSD. How 4, which by all

Not the biggest issue with 10.13

[omnichad]

I had a customer with an older Macbook Pro, for whom updating to 10.13 overwrote her boot partition with the 10.13 recovery partition - then froze dead in its tracks leaving the laptop unbootable. All her files that weren't overwritten had to be recovered by signature through Photorec.

I put in a brand new hard drive (the drive was starting to fail), and installed Sierra. Updating to 10.13 (High Sierra) did the same thing again.

Only resetting the PRAM solved it. I can't really even make sense of why that was required or why that worked.

Re:Not the biggest issue with 10.13

What the hell? Is this normal every day Mac stuff with older hardware?

Re:Not the biggest issue with 10.13

nope. it's just with high sierra.

apple fucked up. do not install high sierra. not worth the trouble.

"We need a patch by COB today!"

[Chelloveck]

So, what you're saying is that when you rush out a patch, the development and QA processes suffer? The hell you say. No one could have predicted *that*.

Sometimes you have to say "Make it work for the most common case *now* and we'll pick up anything we missed later.

99 bugs

[stealth_finger]

99 little bugs in the code
99 little bugs in the code
Take one down, pass it around
117 little bugs in the code

its concrete proof that..

In fact MsMash is sucking dick for dope..
bEaUhd is this your only sexual outlet???

plug your dick in the wall, get more out of it and it';s safer fro,m an STD perspective

Already Fixed in Update

[TheFakeTimCook]

While this bug has not been patched in the 10.13.1 Update, it has been patched once-and-for-all in the upcoming 10.13.2 Update, now in Beta Testing.

Those who Install 10.13.1 simply need to re-run the current version of the "root access" Security Update, and all will be well.

Just some overlapping package-release timing stuff, exacerbated by Apple's desire to patch the original vulnerability as quickly as possible.

Obsolete?

Thanks, Apple, for labelling my old Mac Mini as obsolete, so I do not have to deal with this crap.

Could slashdot be any slower?

This is about the prior release of macOS. Slashdot now sees stories weeks after mainstream media.

Weak.

Not "Log in" elevate privilege.

You already had to be logged into the machine. The only times this is a security problem is when you lend your machine to someone else, allow someone a remote access or the computer belongs to your company and they do not trust you with admin rights.

Of cause it is bad, but it is not a fatal problem and it is not the first time an OS has has a local root exploit due to a "feature".

Here's how to stop it

I would like Apple to stop nagging me to upgrade to High Sierra via notifications.

Turn off check for updates then.

In 10.12.6 , it's system preferences, app store icon. Un-check "Automatically check for updates"

You can still check manually - just open the app store, and click on the updates icon at the top. It's much less annoying than their "choose between going to look at this or doing it" moronic notification.

--fyngyrz

anon due to mod points and clueless slashdot policies

It's a......

[MerlTurkin]

FEATURE!