Got a tip for us?
Let us know
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
Apple Releases macOS High Sierra Security Update to Fix Root Password Vulnerability
- Thread starter MacRumors
- Start date
- Sort by reaction score
Actually looking at links above @Westside guy posted a link to a discussion a few weeks ago on the Apple dev forum where the issue was discussed but people didn't really seem to have a handle on it. Interesting.
Meanwhile @tkermit link above shows a new discussion here saying AFP file sharing is not working for a couple of users, including him/herself.
Actually, SMB file sharing (with the Windows File Sharing option disabled) is what doesn't appear to work.
The software is the software, whether there 2 users or 2 million. Your logic defies reasoning.
[doublepost=1511979372][/doublepost]I really feel these glaring software bugs are endemic of an industry that is using automated testing more in lieu of human testers.
I've completed Apple's Security Update (as of this writing).
Followup question: 's SU Support page seems to imply completing this SU (to the new 10.13.1 Build) disables root. ...Is this correct? ...If yes, does this delete a prior root PW & is it recommended to re-enable root, re-setting a PW?
10.13.2 beta 5 is still open, no patch.. even as it was update like 12 h ago
Apple today released Security Update 2017-001 to fix a serious vulnerability that enables access to the root superuser with a blank password on any Mac running macOS High Sierra version 10.13.1.
The critical bug, which gained attention after it was tweeted by developer Lemi Ergin yesterday, lets anyone gain administrator privileges by simply entering the username "root" and a blank password in System Preferences > Users & Groups.
The security update is rolling out on the Mac App Store now, and it should be installed by all users running macOS High Sierra as soon as possible. Regardless, starting later today, Apple said the security update will be automatically installed on all Macs running macOS High Sierra 10.13.1.
Apple has since apologized for the vulnerability in a statement obtained by MacRumors:The vulnerability does not affect macOS Sierra or any other previous version of the operating system.
Article Link: Apple Releases macOS High Sierra Security Update to Fix Root Password Vulnerability
Ive was never put in charge of software engineering. When Scott Forestall left iOS engineering teams moved under Craig Federighi who already was in charge of macOS engineering.
Specifics are fun.Damn it, you're right
Are you referring to shares residing on a 10.13.1 machine, or shares residing on other machines?
What an ignorant statement. As a registered developer, believe me, I'd like nothing more than to be running the non-beta version. The only reason I'm running the beta right now is out of necessity, to provide sysdiagnose dumps to Apple in the hopes that they'll fix an incredibly annoying bug introduced by High Sierra that's causing a 70% hit to discrete GPU compute performance any time a 2016/2017 MacBook Pro has entered sleep long enough to enter standby (which is resulting in me having to restart High Sierra several times a day if I want to get any work done):
https://forums.macrumors.com/thread...ot-work-after-resume-from-long-sleep.2076334/
You wouldn't believe the hours I've wasted running "sudo sysdiagnose", installing logging profiles and uploading GBs of files to bugreport.apple.com since September. High Sierra is a hot mess. The least Apple could do, if they introduce a shoddy OS release that happens to also contain serious security flaws like this, is push out an update to the users who are helping them find and fix the bugs (whether they want to be or not).
I wonder if Apple being able to quietly force updates onto deployed Macs is in itself a security/privacy concern? It could mean Apple potentially being able to force a change on the OS anytime they wanted to, perhaps some third-party actor might be able to take advantage of that update system or that a government could compel Apple to use that update system to make changes to users computers.Until now, I didn't even know MacOS has a restartless mechanism for quick security updates. Clearly Apple anticipated a fix like this being necessary in advance
The former, i.e. shares residing on a 10.3.1 machine post-patch. Specifically SMB shares for user accounts without Windows File Sharing enabled. @joedec has created a thread that discusses the issue.
That is because you can’t downgrade from build 17C83a directly to 17B1002.
You can use the full installer for 10.13.1 on a bootable usb to downgrade to build 17B48 and then install the update to get it up to 17B1002 either via the mac app store or with the standalone installer at https://support.apple.com/kb/DL1942?viewlocale=en_US&locale=en_US
It had to be. This was a screwup of the proverbial kindergarten type within the context of software development.
Apple is, and should be, very embarrassed.
If you saw my previous post it is available at https://support.apple.com/kb/DL1942?viewlocale=en_US&locale=en_US
Oh!!! Apple could have fixed it two weeks ago. What have they been doing? Designing new animoji?
Employees often get fired if they do something wrong.
Executives of course blame an underling if something goes wrong and fires them. But the executive gets a bonus when the underling does something right. (its good to be an executive.)
That's the problem though. It wasn't reported. There was a discussion on the dev board where the guy stumbled upon a solution on another board (which means it was known elsewhere) to give himself back admin access but, by his own admission he didn't know this was an issue
That guy said:
That was a post offering the “bug” as a solution to an issue another developer was having on those forums. It was not an official bug report. In fact, the person that posted that didn’t even know it was a bug (ie: “No idea how or why it works, but it does”.)
Bugs are reported using a standard, documented procedure, which was not at all followed in that post to which you are referring: https://developer.apple.com/bug-reporting/
The extremely highly paid employees are taking their money and enjoying life instead of constantly sitting in front of the computer. They are walking around the Apple Park enjoying the trees and water fountains.
