Reprinted from TidBITS by permission; reuse governed by Creative Commons
license BY-NC-ND 3.0. TidBITS has offered years of thoughtful commentary
on Apple and Internet topics. For free email subscriptions and access to the
entire TidBITS archive, visit http://www.tidbits.com/


   Apple Pushes Updates to Block the Root Vulnerability Bug

   Adam C. Engst

   [Editor's Note: This article is a significant update to '[1]Update
   Immediately to Block the Root Vulnerability Bug' (29 November 2017),
   since so much information changed since we first published that piece.
   This article supplants the previous one. -Adam]

   As I predicted in '[2]High Sierra Bug Provides Full Root Access' (28
   November 2017), Apple quickly released [3]Security Update 2017-001 to
   address the root vulnerability bug that enabled anyone to gain admin
   access without a password. I've installed it and confirmed that it
   works as advertised.

   [4][tn_Root-bug-fixed.jpg]

   On 29 November 2017, Apple initially made Security Update 2017-001
   available as a regular download via Software Update, but later that
   day, the company started using the automatic update mechanism built
   into macOS to push the update to all Macs running High Sierra, both
   versions 10.13.0 and 10.13.1.

   No restart is required, so Apple can install the update silently,
   without notifying the user in any way. We believe that a Mac must be
   awake for the automatic update to install since we've seen it appear on
   a MacBook Pro that was awake yesterday, but not on a MacBook Air that
   was sleeping all day (lazybones!).

   If your Mac has been asleep since Apple released Security Update
   2017-001, you'll see it in the Updates tab in the App Store app, and
   you can still install it manually. We usually recommend caution when it
   comes to installing updates, but this vulnerability is so severe that
   the fix is more important than any trouble it could conceivably cause.

   In fact, it did cause problems. Apple released two versions of Security
   Update 2017-001 yesterday. The first updated High Sierra to build
   17B1002, and the second to build 17B1003. (To verify that number,
   choose  > About This Mac and click the Version 10.13.1 line.) The
   second version was necessary because [5]the first broke authentication
   for file sharing. We didn't test file sharing after installing the
   update yesterday because the original bug didn't affect file sharing.

   [6][tn_Root-bug-macOS-updated-again.jpg]

   If you installed Security Update 2017-001 yesterday, and your build
   number is 17B1002, Software Update should offer you the update again;
   install it manually to fix the file sharing bug and move to build
   17B1003. On my iMac with build 17B1002, no automatic update took place.

   For those who need [7]a standalone installer for Security Update
   2017-001, Apple has now made such a download available.

   If you have a legitimate use for the root user account on your Mac,
   you'll need to re-enable it and change its password in Directory
   Utility after installing the update. Hardly anyone should have to do
   this.

   Why all this fuss? Although the Mac community identified the primary
   attack vectors on 28 November 2017 when the vulnerability was first
   publicized, it's possible that there are others that are not blocked by
   changing the root password or disabling remote access. We have to
   assume that black hat hackers are already probing every possible area
   where this bug could provide access. That's why it's entirely
   reasonable for Apple to push the security update to all systems.

   In a statement to John Gruber of Daring Fireball, [8]Apple said:

     Security is a top priority for every Apple product, and regrettably
     we stumbled with this release of macOS.

     When our security engineers became aware of the issue Tuesday
     afternoon, we immediately began working on an update that closes the
     security hole. This morning, as of 8:00 a.m., the update is
     available for download, and starting later today it will be
     automatically installed on all systems running the latest version
     (10.13.1) of macOS High Sierra.

     We greatly regret this error and we apologize to all Mac users, both
     for releasing with this vulnerability and for the concern it has
     caused. Our customers deserve better. We are auditing our
     development processes to help prevent this from happening again.

   Apple deserves credit for releasing this security update in less than
   24 hours after the bug was publicized on Twitter. That quick reaction
   time is reassuring, much as I'm sure many developers, testers, and
   deployment teams at Apple had a truly awful day.

   But the fact that Apple could introduce a security hole the size of a
   truck into High Sierra is appalling. Ensuring that unauthorized users
   can't act as the root user in a Unix system is basic security, because
   anyone who can become root can do anything they want. That the
   vulnerability escaped notice in Apple's security testing is almost
   worse than the bug itself, and the initial release of Security Update
   2017-001 breaking file sharing authentication is also distressing.

   And yes, if you've been waiting to upgrade to High Sierra, pat yourself
   on the back. 10.12 Sierra and earlier versions of OS X don't suffer
   from this bug.

References

   1. http://tidbits.com/article/17651
   2. http://tidbits.com/article/17650
   3. https://support.apple.com/en-us/HT208315
   4. http://tidbits.com/resources/2017-11/Root-bug-fixed.png
   5. https://www.macrumors.com/2017/11/29/apple-macos-high-sierra-file-sharing-fix/
   6. http://tidbits.com/resources/2017-11/Root-bug-macOS-updated-again.png
   7. https://support.apple.com/kb/DL1942
   8. https://daringfireball.net/linked/2017/11/29/high-sierra-root-login-fix

.