Updating macOS can bring back the nasty "root" security bug


Apparently, the only way to truly solve the problem for users that were "late" to update to the newest version of macOS High Sierra is to install 10.13.1, reboot, then install the root security update.

The root bug allows anyone to log in or authenticate as a system administrator on systems running macOS High Sierra by simply typing in the username "root" and leaving the password field blank, in many circumstances.

Even if a Mac user reinstalls the security update after updating to macOS High Sierra 10.13.1 - and actually, Apple will automatically install it no matter what - users could still be at risk, according to Thomas Reed, a security researcher at MalwareBytes focused on Apple products. "Dear @AppleSupport, we noticed a *HUGE* security issue at MacOS High Sierra". It seems that Apple was predicting a particular order in which users would do things, and this assumption means the original problem can be reintroduced. "And worse, two of those Mac users say they've also tried re-installing Apple's security patch after that upgrade, only to find that the "root" problem still persists until they reboot their computer, with no warning that a reboot is necessary".

The solution is a simple one - but one that has not been made sufficient clear by Apple.

One small bright spot may be that the vulnerability requires local access and appears hard, though not impossible, to exploit remotely.

The company began working on an update to close the security loophole after hearing of the issue on November 29, to which Apple said that it has now patched that security flaw, along with a guide on how to fix it.

The vulnerability was disclosed by a user on Tuesday on Twitter.

"Oh my god that should not work but it does", another user responded yesterday on the forum. "Some bug in authentication is ENABLING root with no password the first time it fails!" Wired this morning reports that if you were running macOS High Sierra 10.13.0 when you installed the update, and then update to High Sierra 10.13.1, the security update will reverse itself... When that happens, "Make sure to update your Macs and MacBooks at your earliest opportunity after it is released", he added.