Apple Releases macOS High Sierra Security Update to Fix Root Password Vulnerability

[Analog Kid]

The update also appears to disable the root user even in cases where you had changed its password.

I just noticed the same thing. Is there a secondary way to verify that the root user has indeed been disabled? I still see an entry for "root" in my /etc/passwd file and under System Administrator in the Open Directory listing.

Of course I have no idea if those entries existed two days ago, but back then I didn't feel I needed to check because it was supposed to be safely disabled...

 

[tkermit]

The can apologize again for another failure, they broke file sharing authentication with this patch.

Damn it, you're right

 

[bwintx]

Yes - its what MacOS is supposed to be superior to, and why people buy expensive Mac systems even when much cheaper generic Windows boxes are technically capable of doing the job.

Depends on the job. "Cheaper generic" anything won't do my job, not without *****ing the bed. And Windows boxes don't run some of the software I need. Generic job, generic devices, perhaps.

 

[Bryan Bowler]

I’m very disappointed in you Apple. Now please stop trying to release something new every month and spend your time focusing on fixing what we already have. Your operating systems are buggy and disrupt my workflow several time throughout the day. It’s time for you to take a step back and work on becoming what Apple once was: reliable.

 

[joedec]

Damn it, you're right

I started a new thread in the macOS High Sierra Forum as well. Thanks for the confirmation.

 

[gijoeinla]

You ever heard of Windows? Perhaps you should read up on that OS if you haven't.

Also, give me a break. Nobody finds everything, not even "Apple". Patched quickly and painlessly. Move along.

AMEN! Some here live under a rock. I have Microsoft Office on my MAC. Literally there are fing updates for SECURITY reasons nearly daily.

It’s delusional that people seem so blindsided and biased against errors with Apple.

Decide — you want your cake AND eat it too but you want it perfect each and every time.

There are very few of you in the forums that don’t complain and whine about wanting more and more out of Apple and leave the complications, implications and the rationity of that process out of those demands and unreasonable expectations along with it.

What most of you SHOULD be concerned about is the very exploits that are purposefully perpetrated by Google, SAMESONG, even UBER for god sake and others to steal your personal information and habits BUILT INTO their software and products.

Think about it.

A bit of perspective This exploit is on a .1 version and doesn’t affect the vast majority of people out there using Mac products.

 

[dwsolberg]

I'm very happy they fixed this quickly, but Apple's statement that "security is a top priority" is quite obviously not true. We keep finding new, very simple exploits in Apple software. This isn't some complicated series of vulnerabilities that were exploited to achieve access. This is a simple hole, and there's no excuse for it.

It's as if a roofer said water-tightness was a "top priority", and I found multiple missing pieces and missing flashing. The things Apple has missed recently aren't complicated; it's just poor quality control and lack of good testing procedures.

 

[KoolAid-Drink]

Even though this update did not require a restart, I restarted anyway. After the restart, I was prompted to accept/not accept analytics sharing, then the standard "setting up your computer" message came up, then everything was back to normal. Did this happen to anyone else following a restart, AFTER installing the update?

 

[shaocaholica]

I think on principle you should be applying this patch using the exploit login.

 

[MacATDBB]

Glad they've nailed at least one High Sierra bug - only a few dozen left to go. Overall I've liked the technology improvements in High Sierra but felt it was released way prematurely. Hopes that it would be the Snow Leopard to Sierra's Leopard were misplaced I guess.

One thing I find frustrating is Apple's (lack of an) effective bug tracking system. We basically get what we're given and while we can submit problem reports, it's kind of like throwing a coin into a fountain. There's no way of knowing if Apple were already aware of a problem, are/aren't working on a fix, have dismissed it as a user error, or think everything works fine (eg long delays in messages, email glitches, WindowServer using 40.78GB of Memory etc etc).

 

[citysnaps]

Doesn’t matter, we the consumers used to enjoy high quality products from Apple. We the consumers shouldn’t be a part of the OS testing.

Sure it matters. Unless you really believe that OS software, from anyone, is 100% bug-free. It sounds like you don't understand the scope of OS software development and test, either. Obscure bugs will always be found, as was the case in the past.

What's important, is once they are discovered, how long does it take for a company to address and solve the problem. In Apple's case, the issue was acknowledged along with a temporary user-fix within hours, and full-up software update in less than a day.

 

[ChrisA]

How embarrassing...

I wish Apple did a better job testing their releases. We used to enjoy such high quality when it came to software updates and releases.

People used to think this was a feature. Seriously. If the user wants to remove the root password why not let him? This is the way it has worked "forever" with UNIX systems. Yes it is dumb for users to do this. But is is not a security issue unless some actual decides to remove the password.

This is like a home owner removing the lock from his front door. Is it a security issue if the lock is removable? I'd say no. not until it is actually removes isothere in issue.

 

[B4U]

You ever heard of Windows? Perhaps you should read up on that OS if you haven't.

Also, give me a break. Nobody finds everything, not even "Apple". Patched quickly and painlessly. Move along.

How is that not embarrassing for Apple?
Why would such vulnerability got inside the release when it does not affect older OS? Somebody must have messed with some codes that should not have been touch to create such a failure. This is not regarding to a new feature, so please stop defending Apple for such grave mistake.

 

[nvmls]

Gotta love Apple users praising "quick" half baked broken patch on an 3 weeks old reported bug. Enjoy file sharing, "just works".

 

[MH01]

Typical knee-jerk response from someone who doesn't understand the nature of the bug or the scope of OS development and testing.

Please do tell ...... seriously.... realised you were a photographer , though did not know you moonlighted in developwment . I've been in software development for 17 years, please explain to me how reaction to this is knee-jerk? And while you are there, what priority of bug is this ?

Clearly apple are fools, cause thier reaction was knee-jerk and a patch is out already....

I'm so intrigued ....

 

[Feenician]

half baked broken patch on an 3 weeks old

What is "half baked" or "broken" about this patch? As for "3 weeks old", this was reported yesterday.

 

[Westside guy]

I respectfully disagree. Lemi could have very easily given Apple 24 hours notice to fix or go public. By not doing so, they left a lot of computers vulnerable.

Knowledge of this bug has been out there for a couple weeks. We don't know all the details, so I'm not going to judge Lemi.

 

[mwined]

It wasnt set to blank. There was an error in validating the password, and then it set your password to nothing.

I believe this is incorrect. When you receive a new machine, the root password is blank, and root is disabled. This bug (logic error) essentially just enabled root.
When you disable root, the password is reset to blank, hence the ability to reproduce the bug repeatedly.
The root password, being set to blank when disabled, has been the way it has worked for a very long time, if memory serves...

 

[tkermit]

What is "half baked" or "broken" about this patch?

Security Update 2017-001 BREAKS File Sharing

 

[bbfc]

Quite the apology from Apple.

Edit: No update for those running the 10.13.2 beta?

 

[0837990]

That was quick

Not really. The vulnerability was disclosed on Apple's developer forums on November 13th.
It just seems quick because media just recently picked up on it!

 

[dogslobber]

So Apple had enough time (over Thanksgiving) to solve the vulnerability.

Tim usually gives them the week off. You'd think hackers would take this into account when finding vulnerabilities.

 

[Wackery]

steve jobs is doing cartwheels in his grave

 

[mwined]

What is "half baked" or "broken" about this patch? As for "3 weeks old", this was reported yesterday.

I think the "half baked" and "broken" references may have been added to assist with attaining some sense of superiority. The "3 weeks old" reference has to do with how long 10.13.1 has been out (?), and therefore, how long the vulnerability has existed. It did not become a vulnerability because it was announced yesterday.

 

[gijoeinla]

Doesn’t matter, we the consumers used to enjoy high quality products from Apple. We the consumers shouldn’t be a part of the OS testing.

We the consumers? I’ve been a Mac user for 28 years.

You realize this company went from a base of hundreds of thousands of users to over a BILLION right?

I’m hoping you grasp mathematics. More users bring more implications of the potential for trillions of more errors and conflicts. Name a company with the kind of growth Apple has gone through and seemingly would be able to micromanage every single potential software conflict...that might exist.

Right?