PSA: If You Upgrade to macOS High Sierra 10.13.1, You'll Need to Reinstall Apple's Root Security Fix

[smoledman]

Apple's priorities these days:

1. iPhone
2. Watch
3. iPad Pro
4. AirPods
5. Apple Music
6. Spaceship campuses
7. Project Titan
8. ARKit
9. Apple TV
10. Mac

 

[recoil80]

I just tried it and 10.13.1 did not reintroduce this problem for me. Previously I changed root's password to something I made up, installed Apple's security fix, then updated to 10.13.1. Root login is not wide open. Not sure if this is just a small number of people effected by this, but working as normal here. 2017 27" 5k iMac

I have the root password set as well, so I'm not affected by the problem but most people don't even know what root is and don't have a password set.

 

[0958400]

We definitely need more emoticons to show Apple how we love this. (sarcasm off)
[doublepost=1512302779][/doublepost]

Apple's priorities these days:

1. iPhone
2. Watch
3. iPad Pro
4. AirPods
5. Apple Music
6. Spaceship campuses
7. Project Titan
8. ARKit
9. Apple TV
10. Mac

You forgot the emojis. They are a separate category.

 

[Count Blah]

I just tried it and 10.13.1 did not reintroduce this problem for me. Previously I changed root's password to something I made up, installed Apple's security fix, then updated to 10.13.1. Root login is not wide open. Not sure if this is just a small number of people effected by this, but working as normal here. 2017 27" 5k iMac

i think I see the reason

 

[shaocaholica]

Apple's priorities these days:

1. iPhone
2. Watch
3. iPad Pro
4. AirPods
5. Apple Music
6. Spaceship campuses
7. Project Titan
8. ARKit
9. Apple TV
10. Mac

Makes sense. It's not like anyone is doing anything so important on a Mac that can't be done on another (Apple or not) platform. Let the Mac die already. Embrace superior tablets and touch UI.

 

[manhattanboy]

I thought the added name releases were supposed to fix bugs from the prior release (leopard to snow leopard, etc.). Apparently the current OS describes the state of Apple's security team ("High") and not the fact that Sierra has been improved.

 

[iamtheonlyone4ever]

no good games for Mac , no good Mac OS software "High Sierra"
simply because they don't care
programmers will be able to code nice games for Mac OS
but Tim and Mac crappy obsolete drivers are holding everything back

then every year they start a new system when their previous system is starting to become stable
I learn my lesson , no more hype for me, I won't be drag into that buggy mess no more, I rather stay behind but at least I will have a more stable system with less bugs than moving to a new buggy os
I know why they are screwing up
they are not putting attention to details
because Mac OS is not a priority
is very clear that they are not giving us their best effort that's why we are having all these bugs lately
I undertand a feature bug or something like that
but come on vulnerability bugs, security bugs, nobody wants none of those
I know we will never have another person like Steve
but I just want some one better that Tim and that is absolutely possible

 

[dogslobber]

how much worse can High Sierra get?

This is almost like the Microsoft of old this software practice. The 10.13.1 should have been replaced with a supplemental 10.13.1.1 release to precisely fix this issue immediately.

That they didn't shows either incompetence in Apple Sustaining or Apple simply doesn't care about MacOS anymore.

Apple, how stupid are you? Your brand takes years to build to where it is but can topple in a few days.

Steve would be disgusted by how Apple is lurching through this crisis.

 

[chrfr]

This is almost like the Microsoft of old this software practice. The 10.13.1 should have been replaced with a supplemental 10.13.1.1 release to precisely fix this issue immediately.

That they didn't shows either incompetence in Apple Sustaining or Apple simply doesn't care about MacOS anymore.

Apple, how stupid are you? Your brand takes years to build to where it is but can topple in a few days.

Steve would be disgusted by how Apple is lurching through this crisis.

Apple has already implemented a fix. They opted to use their "Malware Removal Tool," or MRT, installer to re-run the script that failed to work in the original security update. This gets installed silently in the background. This is certainly a strange way to resolve the problem, but it works.
From Apple's notes about the security update:

If you recently updated from macOS High Sierra 10.13 to 10.13.1, reboot your Mac to make sure the Security Update is applied properly. Or if you see MRTConfigData 1.27 in the Installations list under Software in System Report, your Mac is also protected.

 

[dogslobber]

Apple has already implemented a fix. They opted to use their "Malware Removal Tool," or MRT, installer to re-run the script that failed to work in the original security update. This gets installed silently in the background. This is certainly a strange way to resolve the problem, but it works.

Or doesn't if they don't manually reboot. This is a disaster for Apple.

https://www.wired.com/story/macos-update-undoes-apple-root-bug-patch/

It's pretty sad to think this was how it was.

 

[chrfr]

Or doesn't if they don't manually reboot. This is a disaster for Apple.

https://www.wired.com/story/macos-update-undoes-apple-root-bug-patch/

No, the MRT fix solves the problem without needing to reboot.

 

[dogslobber]

No, the MRT fix solves the problem without needing to reboot.

We'll wait and see if the experts agree. Regardless, this incident has been an utter shambles and embarrassing PR gaff.

 

[chrfr]

We'll wait and see if the experts agree. Regardless, this incident has been an utter shambles and embarrassing PR gaff.

It has been a disaster from a QA perspective for sure.
The reason the vulnerability continued after updating to 10.13 to 10.13.1 and then installing the security update is that the postistall script that was supposed to run after installing the security update fails. This script would have killed and restarted the file that gets replaced in the update (/usr/libexec/opendirectoryd). In computers that haven't recently been upgraded from 10.13 to 10.13.1, the script runs successfully. On the computers that did recently get upgraded, the script fails and so the old, unpatched version of opendirectoryd continues running until the computer is restarted or until opendirectoryd is otherwise killed off and restarted. The MRTConfigData installer contains a modified version of the script that came in the security update, and does successfully restart opendirectoryd without requiring the computer to reboot.

 

[dogslobber]

It has been a disaster from a QA perspective for sure.
The reason the vulnerability continued after updating to 10.13 to 10.13.1 and then installing the security update is that the postistall script that was supposed to run after installing the security update fails. This script would have killed and restarted the file that gets replaced in the update (/usr/libexec/opendirectoryd). In computers that haven't recently been upgraded from 10.13 to 10.13.1, the script runs successfully. On the computers that did recently get upgraded, the script fails and so the old, unpatched version of opendirectoryd continues running until the computer is restarted or until opendirectoryd is otherwise killed off and restarted. The MRTConfigData installer contains a modified version of the script that came in the security update, and does successfully restart opendirectoryd without requiring the computer to reboot.

This sounds like it's down to the rush to get the patch out ASAP and all the corner cases (upgrade paths here) were not evaluated. There would have been extreme pressure coming down the management chain to get this fixed and pushed immediately as they're well aware of the bad PR. Middle mangers get weak when pressure is exerted on them from above so their minions will end up being micro-managed to completion.

You can rest assured Tim Cook would have been checking the progress while flying to China.

 

[chrfr]

This sounds like it's down to the rush to get the patch out ASAP and all the corner cases (upgrade paths here) were not evaluated.

This has to be true, which is the only way fixing the problem in the security update with a fixed script in another installation makes any sense.

 

[charlituna]

It just works:

no ever what that phrase meant.

 

[Substance90]

I don't excuse Apple for this one, but ...

But you just did. There's no excuse for that kind of sloppiness that Apple is showing lately. Not from a billion dollar company that built its entire reputation upon its attention to detail.

 

[Joey488]

Went looking for a El Capitan download and this is on Apples page:

"Now that High Sierra is available, you should upgrade to High Sierra instead of El Capitan. For security and compatibility reasons, Apple always recommends using the latest version of macOS."

 

[ChrisCW11]

I wonder how many times you have to enter your admin credentials to fix this whole thing? I mean Apple thinks having to enter credentials numerous times is "safer" then building proper security into the OS, but when the authentication system itself is broken, maybe its time for Apple to put some of them billions in profits into OS innovation again.

 

[UL2RA]

Update BREAKS add to Photo Share with the Preview App. Tried this on my late 2013 iMac purchased on 2015 and my new MacBook Air 2017 model. This is a mess of a hack from Apple.

There is no 2017 Air.


Edit: Correction ... apparently there is, but all they did was barely bump the processor speed and literally nothing else. What a waste.

 

[chrfr]

There is no 2017 Air.

Apple calls the current configuration that got a speed bump this year the 2017 Air.

 

[UL2RA]

Apple calls the current configuration that got a speed bump this year the 2017 Air.

Yeah just saw that and they did almost nothing to it. Only Apple can get away with things like this.

 

[M.PaulCezanne]

I am also on the El Cap team. Sierra was a mess and High Sierra is even worse, and also even worse than Yosemite and Lion combined. I am not even talking about iOS 11. I use a MBA 2015 on the go but for work, I am using a Snow Leopard MBPnr 2011 (SSD-powered, of course) with the grandfathered last version of Chrome which is the most stable OS I have ever used, and in many ways also the fastest.
Apple keeps saying "always stay up to date" but no one at their circular campus seems to be actually using those products.

In the past I upgraded my Apple tech regularly with new hardware releases. I haven’t been convinced to upgrade anything (except iOS) in quite a while. I’m on a 2009 MBP with El Capitan and an iPhone 6. I want for no truly useful features and I’ve avoided funding the 9 figure compensation packages these execs “earn”.

After the disastrous MobileMe rollout, Steve Jobs said, "Can anyone tell me what MobileMe is supposed to do?" Having received a satisfactory answer, he continued, "So why the f*** doesn't it do that?" We’re seeing a very different management style today aren’t we.

 

[sonofsnak]

So glad that I've resisted the nag screens to "upgrade" from Sierra to High Sierra on my Mac Pro MacPro5,1. Same with iOS 10.3.3 on my iPhone 6.
[doublepost=1512427879][/doublepost]

Such a daming confirmation that Apple no Longer cares about the Mac.

Well, much can sort of be said about iOS 11. They care, but they seem to only be "in the moment" with anything they come out with now. They want to be seen as futurists, but are releasing product before it's ready simply to gain sales.

 

[JLIONZ]

Mac owners who are still running macOS High Sierra 10.13 and who have already installed Apple's root security fix on that version of the operating system will need to install it once again upon upgrading to macOS 10.13.1, reports Wired.

Security researchers running a patched version of the original macOS High Sierra update, 10.13.0, told Wired that the root bug was reintroduced upon installing the macOS 10.13.1 update. After updating, they needed to install Apple's security patch again. Even that didn't fix the issue until their machines were rebooted.

The root fix, released on Wednesday for macOS High Sierra 10.13.0 and 10.13.1, addresses a serious vulnerability that was first discovered a day earlier on Tuesday. The bug enabled the root superuser on a Mac with a blank password and no security check, letting anyone bypass the security of an admin account with the username "root" and no password.

While the security update successfully fixes the issue, it appears Apple may not have releases a modified and patched version of macOS 10.13.1, so customers who installed the update on 10.13 might think they're protected upon updating to 10.13.1, but they're not. Instead, the bug is fully re-introduced.

Apple may fix this problem now that the oversight has been pointed out, but in the meantime, customers upgrading from macOS High Sierra 10.13 to 10.13.1 should make sure to download the security update a second time and restart to be certain the root vulnerability is patched.

This won't be an issue when the macOS High Sierra 10.13.2 update is released, as Apple patched the bug in the macOS High Sierra 10.13.2 beta that was released this morning.

Article Link: PSA: If You Upgrade to macOS High Sierra 10.13.1, You'll Need to Reinstall Apple's Root Security Fix

[doublepost=1512673412][/doublepost]Hey Everyone

I use Cocktail by Maintain to keep my Mac running right & tight. I received this email from Maintain today and in it, they talk about using the COMBO update process, something I totally forgot about. Like many of you, my Mac has had horrible performance and freezing issues since I went to HS 10.13.1. Now I'm running 10.13.2 BETA but updated to 10.13.2 using the combo update process I can already tell my Mac is operating normally again.

The past few weeks have been hell with screen freezes and inability to exit open program windows, having to reset NVRAM and run Disk Aid every day just to keep my Mac functional. The link to Apple's 10.13.2 COMBO update is noted in the email below. For any of you struggling with what the hell's going on with my Mac and HS 10.13.1 this may be the trick. So far my system is running as I expect. I hope this helps someone out else out there.


Apple releases macOS High Sierra 10.13.2 update

Apple has released a completed 10.13.2 update for macOS High Sierra. This update improves the stability, compatibility, and security (the update includes permanent fix for the root password security flaw that could allow anyone to log in as the system administrator and modify your data) of your Mac, and is recommended for all users.

We would like to remind you that it is always recommended to use a combo update to update macOS.

Many of the problems we are asked to solve can be traced back to a faulty system update or corrupt system files. While it may sound pretty serious there is usually a very simple way to fix it, reinstall the latest Combo update from Apple.

When Apple is testing macOS updates with its developers they are using the Combo update, which is a package that contains every single update from the day your macOS version was released. However, what they deliver to the end users is normally an incremental update which only contains the changes from say 10.13.1 to 10.13.2. Unless you have a clean install there is a chance that it will replace files it shouldn’t or, on the contrary, that it won’t replace files that have become corrupted and are now causing problems.

The best thing to do if you happen to experience these problems is to reinstall the update, but instead of using the Mac App Store which will only give you the incremental update you use the Combo update. The Combo update will replace all the core system files and give you a completely fresh and up to date macOS install that will hopefully make your problems history.

This is also how you fix your computer if an update was interrupted as the Combo update will restore all missing files and make sure they are up to date.
You can download the macOS Sierra 10.13.2 Combo Update from https://support.apple.com/kb/DL1944.