While Apple was commended for its overnight fix of the critical macOS root security hole earlier this week, updates that are developed so quickly rarely come without issues. Wired this morning reports that if you were running macOS High Sierra 10.13.0 when you installed the update, and then update to High Sierra 10.13.1, the security update will reverse itself…
The report cites several users who have experienced this issue. Essentially, if you were behind and hadn’t updated to macOS 10.13.1 yet, you need to be sure to reinstall the security patch that Apple released earlier this week for the root hole.
Furthermore, however, the root security fix doesn’t reinstall as seamlessly for those who are installing again after updating their machine to macOS 10.13.1. Wired’s report explains that users are having to reboot their Mac in order for the security patch to stick.
When Apple originally released the security update earlier this week, it was sure to tout that it didn’t require a reboot in order to get as many users to upgrade as possible. Furthermore, for those installing again after updating to macOS 10.13.1, Apple doesn’t say that a reboot is required. This means that, unless a user specifically tests the root bug, they won’t realize the security fix actually hasn’t stuck.
Thomas Reed, an Apple researcher at security firm MalwareBytes, explained to Wired:
After Reed confirmed that 10.13.1 reopened the “root” bug, he again installed Apple’s security fix for the problem. But he found that, until he rebooted, he could even then type “root” without a password to entirely bypass High Sierra’s security protections.
“I installed the update again from the App Store, and verified that I could still trigger the bug. That is bad, bad, bad,” says Reed. “Anyone who hasn’t yet updated to 10.13.1, they’re now in the pipeline headed straight for this issue.”
Apple has yet to comment on this newfound issue. It would seem that the company could re-release the security patch for those users who upgrade, but that remains to be seen. Have you noticed this flaw on your machine? Let us know down in the comments.
FTC: We use income earning auto affiliate links. More.