This article originally appeared in TidBITS on 2017-11-30 at 12:27 p.m.
The permanent URL for this article is:
Include images: Off

Apple Pushes Updates to Block the Root Vulnerability Bug

by Adam C. Engst

[Editor’s Note: This article is a significant update to “Update Immediately to Block the Root Vulnerability Bug [1]” (29 November 2017), since so much information changed since we first published that piece. This article supplants the previous one. -Adam]

If this is the first you’re hearing about the root vulnerability bug that was discovered and patched last week, you can read “High Sierra Bug Provides Full Root Access [2]” (28 November 2017) for details about how it allowed anyone to gain admin access to your Mac without a password. As I predicted in that article, Apple quickly released Security Update 2017-001 [3] to fix the bug. I have installed the update and confirmed that it works as advertised.

[image link] [4]

On 29 November 2017, Apple initially made Security Update 2017-001 available as a regular download via Software Update, but later that day, the company started using the automatic update mechanism built into macOS to push the update to all Macs running High Sierra, both versions 10.13.0 and 10.13.1.

[image link] [5]

No restart is necessary, so Apple can install the update without requiring interaction from the user. We believe that a Mac must be awake for the automatic update to install since we’ve seen it appear on a MacBook Pro that was awake, but not on a MacBook Air that was sleeping all day (lazybones!).

If your Mac has been asleep since Apple released Security Update 2017-001, you’ll see it in the Updates tab in the App Store app, and you can still install it manually. We usually recommend caution when it comes to installing updates, but this vulnerability is so severe that the fix is more important than any trouble it could conceivably cause.

In fact, it did cause problems. Apple released two versions of Security Update 2017-001 last week. The first updated High Sierra to build 17B1002, and the second to build 17B1003. (To verify that number, choose  > About This Mac and click the Version 10.13.1 line.) The second version was necessary because the first broke authentication for file sharing [6]. We didn’t test file sharing after installing the first version of the update because the original bug didn’t affect file sharing.

[image link] [7]

If you installed Security Update 2017-001, and your build number is 17B1002, Software Update should offer you the update again; install it manually to fix the file sharing bug and move to build 17B1003. On my iMac with build 17B1002, no automatic update took place before I updated again manually, but other users received the automatic update after installing the first update manually.

For those who need a standalone installer for Security Update 2017-001, Apple has made downloads available for both 10.13.0 [8] and 10.13.1 [9].

If you have a legitimate use for the root user account on your Mac, you’ll need to re-enable it and change its password in Directory Utility after installing the update. Hardly anyone should have to do this.

Why all this fuss? Although the Mac community identified the primary attack vectors on 28 November 2017 when the vulnerability was first publicized, it’s possible that there are others that are not blocked by changing the root password or disabling remote access. We have to assume that black hat hackers are probing every possible area where this bug could provide access. That’s why it’s entirely reasonable for Apple to push the security update to all systems.

In an early statement to John Gruber of Daring Fireball, Apple said [10]:

Security is a top priority for every Apple product, and regrettably we stumbled with this release of macOS.

When our security engineers became aware of the issue Tuesday afternoon, we immediately began working on an update that closes the security hole. This morning, as of 8:00 a.m., the update is available for download, and starting later today it will be automatically installed on all systems running the latest version (10.13.1) of macOS High Sierra.

We greatly regret this error and we apologize to all Mac users, both for releasing with this vulnerability and for the concern it has caused. Our customers deserve better. We are auditing our development processes to help prevent this from happening again.

Apple deserves credit for releasing this security update in less than 24 hours after the bug was publicized on Twitter. That quick reaction time is reassuring, much as I’m sure many developers, testers, and deployment teams at Apple had a truly awful day.

But the fact that Apple could introduce a security hole the size of a truck into High Sierra is appalling. Ensuring that unauthorized users can’t act as the root user in a Unix system is basic security, because anyone who can become root can do anything they want. That the vulnerability escaped notice in Apple’s security testing is almost worse than the bug itself, and the initial release of Security Update 2017-001 breaking file sharing authentication is also distressing.

And yes, if you’ve been waiting to upgrade to High Sierra, pat yourself on the back. 10.12 Sierra and earlier versions of OS X don’t suffer from this bug.