Apple users warned of macOS 10.13.1 'root' flaw glitch

December 4, 2017 // 11:46 a.m.

Tags: #high-sierra #insecurity #macos #macos-1013 #macos-1013-high-sierra #root #security #vulnerability

Users of Apple's macOS 10.13 High Sierra operating system who installed the patch for the serious blank-password authentication vulnerability last week and have since upgraded to macOS 10.13.1 are advised that they are once again vulnerable, the update having reopened the security vulnerability once again.

In the kick-off to what has become a string of embarrassments for Apple's software development division the company was rushed into patching a serious security vulnerability in macOS 10.13 High Sierra when it became public knowledge that entering 'root' as the username and a blank password would bypass any authentication dialogue and give unauthorised users complete control over the target system. When the patch was released the hole was closed, but in doing so Apple somehow managed to break file sharing functionality - which proved, thankfully, a quick though manual fix.

Now the company is once again on the back-foot following the discovery that upgrading to macOS 10.13.1, a point release to the operating system, which reintroduces the 'root' vulnerability on systems which have otherwise been patched.

Anyone who installed the patch for the vulnerability on macOS 10.13 then upgraded to macOS 10.13.1 will once again be exposed via the vulnerability. Those who upgraded to macOS 10.13.1 then installed the 'root' vulnerability patch are unaffected, as are those who followed the workaround in the original article to set a password on the 'root' account.

With Apple not yet releasing an automated replacement for the broken patch, whose impact is mitigated owing to having been released at the end of October long before the 'root' patch was made available, those who are affected by the issue are advised to uninstall the patch and reinstall it again in order to ensure macOS 10.13.1 is properly protected - and/or to manually set a password on the 'root' account. MacOS 10.13.2, currently available in public beta status, integrates the fix and closes the hole for good.

Discuss this in the forums