Slashdot Mirror

← Back to Stories (view on slashdot.org)

Apple Snafu Means Updating To macOS 10.13.1 Could Reactivate Root Access Bug (betanews.com)

Posted by msmash on from the here-we-go-again dept.

Mark Wilson writes: A few days ago, a serious security flaw with macOS High Sierra came to light. It was discovered that it was possible to log into the 'root' account without entering a password, and -- although the company seemed to have been alerted to the issue a couple of weeks back -- praise was heaped on Apple for pushing a fix out of the door quickly. But calm those celebrations. It now transpires that the bug fix has a bug of its own. Upgrade to macOS 10.13.1 and you could well find that the patch is undone. Slow hand clap.

12 of 74 comments (clear)

  1. Oh good.. by HumanWiki · · Score: 3, Funny

    "My slowclap processor made it into this thing." -GLaDOS

  2. Jony Ive's marketing team by Anonymous Coward · · Score: 3, Insightful

    must have done the fixed in between emoji design meetings.

  3. Re:SNAFU? by Anonymous Coward · · Score: 2, Interesting

    You know, I'm thinking you may be taking this just a bit too personally. I recommend you take less offense on behalf of a major corporation. Remember, Apple doesn't care about you, or your family. A trait no specific to Apple, but common among all corporations.

  4. Big deal by 110010001000 · · Score: 3, Funny

    Not sure who this "Root" guy is, but I always login with my iCloud username. Everyone knows iCloud is safe.

  5. Re:SNAFU? by tsqr · · Score: 2

    This is definitely huge blunder, but a SNAFU? Because it stands for "Situation Normal - All Fucked Up" and implies something happens all the time, which is not the case here.

    That's the origin, all right; however, since surfacing in WWII it's morphed from an acronym to a noun that means "a badly confused or ridiculously muddled situation". Seems appropriate in this case.

  6. Just stop nagging to upgrade please by mattr · · Score: 3, Insightful

    I would like Apple to stop nagging me to upgrade to High Sierra via notifications. I am deathly afraid of clicking by accident. It is seldom that a Mac operating system upgrade soon after its launch goes well for the hapless end user. I'm sure I will do it some time, after I feel really good about my backup system and have no critical business scheduled. But when I invested in this MacBook Pro I felt it would last me 5-10 years as-is. Something closer to ZFS is great but not worth the aggravation that the Apple user is GUARANTEED to get if they upgrade soon after it comes out. Let some other early adopters become roadkill and just sit back and let the fireworks die down for a year. Some of us can't afford to be experimented on.

  7. Re:SNAFU? by jellomizer · · Score: 4, Insightful

    There is a hatred of Apple, actually there is a bigger set of tribalism in general in our communities. Being Slashdot being a strong Linux tribe, this means Microsoft and Apple, who are not Linux systems will get hate.
    Being Linux is free and open source, there is a general tribal dislike of capitalism and large companies.
    So Microsoft is the worse, Not Linux, big company, closed source, not based on open standards.
    Then Apple, (iOS and OSX are based on Unix which has simular standard to Linux) is slightly better liked than Microsoft.
    Then Google, Android is Linux Kernel, but it isn't pure, so it gets more of a free pass.

    But to the point of this tribalism. We are celebrating others problems, while ignoring our own. Even if this problem is fairly minor, or even if it isn't, but treated in a timely method. We can Yell THEY SUCK!. While our side, who didn't make the news this week and say WE RULE!.

    While the better response to Apples/Microsoft/Googles... Problems is to go back and Check your system to make sure such a problem isn't in your system, or has a tangential problem. Apple's OS X being Unix based, may have similar flaws in Linux or Android, because while it is a different code based, the two OS's are designed to follow similar specifications.

    We have similar problems with Politics. An idea is good or bad based on if it was proposed by a R or an D. We are no longer focusing on the problem, just the person or company talking about it.

    --
    If something is so important that you feel the need to post it on the internet... It probably isn't that important.
  8. "We need a patch by COB today!" by Chelloveck · · Score: 2

    So, what you're saying is that when you rush out a patch, the development and QA processes suffer? The hell you say. No one could have predicted *that*.

    Sometimes you have to say "Make it work for the most common case *now* and we'll pick up anything we missed later.

    --
    Chelloveck
    I give up on debugging. From now on, SIGSEGV is a feature.
  9. Re:And then the patch is re-applied by Archon · · Score: 2, Informative

    No, this is still a huge fuckup.

    - deploy OS updates w/root bug
    - release 20017-01 security patch that fixes root bug but introduces Kerberos authentication bug ...root issue not fixed until machine is rebooted, which is neither documented or forced by the update
    - release KB that provides instructions for manually fixing Kerberos bug by entering terminal command
    - patch the 2017-01 security patch to not introduce Kerberos bug ...no documentation or version upgrading of the patch to denote changes

    And now... ...updating to 10.13.1 if previously on 10.13.0 would re-instance root bug ...2017-01 security patch applied automatically but again it doesn't force a reboot ...users who update to 10.13.1 left unprotected until patch applied & Mac manually rebooted

    A shit show.

  10. 99 bugs by stealth_finger · · Score: 3, Funny

    99 little bugs in the code
    99 little bugs in the code
    Take one down, pass it around
    117 little bugs in the code

    --
    Wanna buy a shirt?
    https://www.redbubble.com/people/stealthfinger/shop?asc=u
  11. Re:SNAFU? by BronsCon · · Score: 4, Insightful

    Already checked all 4 Macs in my home to ensure they don't suffer from this. Twice now. And I think it sucks that I had to do that. What's your point?

    That doesn't make Windows security suck any less, and it doesn't make the inability of Linux to run many industry-standard (depending on your industry) applications suck any less.

    The truth is, all platforms suck; they all just suck at different things and in different ways. Pick the one that sucks the least for what you want/need to do and use it. Most of us here probably actually use all three major computing platforms on a regular basis, as well as both major mobile platforms, so of course you see a lot of have for all of them. Because they all suck.

    --
    APK quotes people (including myself) without context and should not be trusted. Just thought you should know.
  12. Re:SNAFU? by BronsCon · · Score: 2

    Well did you check your Windows and Linux boxes for this problem?

    This exact problem? No, because Windows doesn't have a root account (or user-accessible equivalent) and my Linux systems don't implement any sort of account management into their login systems.

    This is precisely the sort of bug that shouldn't be able to exist; a failed login should increment a counter and update a timestamp, the value of the counter and timestamp shouldn't come into play until the correct password is entered, at which point it should fail as though an incorrect password was entered if there have been X failures in Y minutes (where X and Y are determined by the user). Last I checked, macOS doesn't even have a failed login lockout feature (server used to, but desktop does not), so it's not even plausible to say there's a bug in that implementation -- there is no implementation of that to get wrong!

    But that still doesn't take away from my point, which is that all of the current platforms suck in one way or another.

    --
    APK quotes people (including myself) without context and should not be trusted. Just thought you should know.