TidBITS: Apple Pushes Updates to Block the Root Vulnerability Bug

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

TidBITS: Apple Pushes Updates to Block the Root Vulnerability Bug

TidBITS Articles
Apple Pushes Updates to Block the Root Vulnerability Bug

This article was just published by TidBITS and sent to you at your request.

Apple Pushes Updates to Block the Root Vulnerability Bug

By Adam C. Engst
http://tidbits.com/article/17655

[Editor’s Note: This article is a significant update to “Update Immediately to Block the Root Vulnerability Bug” (29 November 2017), since so much information changed since we first published that piece. This article supplants the previous one. -Adam]

As I predicted in “High Sierra Bug Provides Full Root Access” (28 November 2017), Apple quickly released Security Update 2017-001 to address the root vulnerability bug that enabled anyone to gain admin access without a password. I’ve installed it and confirmed that it works as advertised.


On 29 November 2017, Apple initially made Security Update 2017-001 available as a regular download via Software Update, but later that day, the company started using the automatic update mechanism built into macOS to push the update to all Macs running High Sierra, both versions 10.13.0 and 10.13.1.

No restart is required, so Apple can install the update silently, without notifying the user in any way. We believe that a Mac must be awake for the automatic update to install since we’ve seen it appear on a MacBook Pro that was awake yesterday, but not on a MacBook Air that was sleeping all day (lazybones!).

If your Mac has been asleep since Apple released Security Update 2017-001, you’ll see it in the Updates tab in the App Store app, and you can still install it manually. We usually recommend caution when it comes to installing updates, but this vulnerability is so severe that the fix is more important than any trouble it could conceivably cause.

In fact, it did cause problems. Apple released two versions of Security Update 2017-001 yesterday. The first updated High Sierra to build 17B1002, and the second to build 17B1003. (To verify that number, choose  > About This Mac and click the Version 10.13.1 line.) The second version was necessary because the first broke authentication for file sharing. We didn’t test file sharing after installing the update yesterday because the original bug didn’t affect file sharing.


If you installed Security Update 2017-001 yesterday, and your build number is 17B1002, Software Update should offer you the update again; install it manually to fix the file sharing bug and move to build 17B1003. On my iMac with build 17B1002, no automatic update took place.

For those who need a standalone installer for Security Update 2017-001, Apple has now made such a download available.

If you have a legitimate use for the root user account on your Mac, you’ll need to re-enable it and change its password in Directory Utility after installing the update. Hardly anyone should have to do this.

Why all this fuss? Although the Mac community identified the primary attack vectors on 28 November 2017 when the vulnerability was first publicized, it’s possible that there are others that are not blocked by changing the root password or disabling remote access. We have to assume that black hat hackers are already probing every possible area where this bug could provide access. That’s why it’s entirely reasonable for Apple to push the security update to all systems.

In a statement to John Gruber of Daring Fireball, Apple said:

Security is a top priority for every Apple product, and regrettably we stumbled with this release of macOS.

When our security engineers became aware of the issue Tuesday afternoon, we immediately began working on an update that closes the security hole. This morning, as of 8:00 a.m., the update is available for download, and starting later today it will be automatically installed on all systems running the latest version (10.13.1) of macOS High Sierra.

We greatly regret this error and we apologize to all Mac users, both for releasing with this vulnerability and for the concern it has caused. Our customers deserve better. We are auditing our development processes to help prevent this from happening again.

Apple deserves credit for releasing this security update in less than 24 hours after the bug was publicized on Twitter. That quick reaction time is reassuring, much as I’m sure many developers, testers, and deployment teams at Apple had a truly awful day.

But the fact that Apple could introduce a security hole the size of a truck into High Sierra is appalling. Ensuring that unauthorized users can’t act as the root user in a Unix system is basic security, because anyone who can become root can do anything they want. That the vulnerability escaped notice in Apple’s security testing is almost worse than the bug itself, and the initial release of Security Update 2017-001 breaking file sharing authentication is also distressing.

And yes, if you’ve been waiting to upgrade to High Sierra, pat yourself on the back. 10.12 Sierra and earlier versions of OS X don’t suffer from this bug.

Post a comment

TidBITS members can unsubscribe from just-published articles at http://tidbits.com/subscriptions. TidBITS Talk readers will need to create a filter to delete these articles.

Article copyright © 2017 By Adam C. Engst . Reuse governed by Creative Commons License.




____________TidBITS Talk Participation Guidelines____________
Post only when you have something substantive to contribute.
Be polite and constructive, and comment on posts, not people.
Quote sparingly, if at all. We all read the previous message.
Start threads with a new message to [hidden email].
Read archives at: http://tidbits.com/pipermail/tidbits-talk/
Unsubscribe at: http://tidbits.com/mailman/options/tidbits-talk
____Mailing List Manners: http://tidbits.com/series/1141 ____
Reply | Threaded
Open this post in threaded view
|

Re: TidBITS: Apple Pushes Updates to Block the Root Vulnerability Bug

Tallitsch, Robert
Adam

Below you make the following statement: If you installed Security Update 2017-001 yesterday, and your build number is 17B1002, Software Update should offer you the update again; install it manually to fix the file sharing bug and move to build 17B1003.

My Mac Pro only has the software update build # 17B1002. When I hit “software update” on the “About this Mac” finder option I was told that my software was up-to-date and no updates were available. In addition I can’t seem to find the download page for this security update (build number 17B1003).

Suggestions?

Bob

On Nov, 30 2017, , at 11:47, TidBITS Articles <[hidden email]> wrote:

This article was just published by TidBITS and sent to you at your request.

Apple Pushes Updates to Block the Root Vulnerability Bug

By Adam C. Engst 
http://tidbits.com/article/17655

[Editor’s Note: This article is a significant update to “Update Immediately to Block the Root Vulnerability Bug” (29 November 2017), since so much information changed since we first published that piece. This article supplants the previous one. -Adam]

As I predicted in “High Sierra Bug Provides Full Root Access” (28 November 2017), Apple quickly released Security Update 2017-001 to address the root vulnerability bug that enabled anyone to gain admin access without a password. I’ve installed it and confirmed that it works as advertised.


On 29 November 2017, Apple initially made Security Update 2017-001 available as a regular download via Software Update, but later that day, the company started using the automatic update mechanism built into macOS to push the update to all Macs running High Sierra, both versions 10.13.0 and 10.13.1.

No restart is required, so Apple can install the update silently, without notifying the user in any way. We believe that a Mac must be awake for the automatic update to install since we’ve seen it appear on a MacBook Pro that was awake yesterday, but not on a MacBook Air that was sleeping all day (lazybones!).

If your Mac has been asleep since Apple released Security Update 2017-001, you’ll see it in the Updates tab in the App Store app, and you can still install it manually. We usually recommend caution when it comes to installing updates, but this vulnerability is so severe that the fix is more important than any trouble it could conceivably cause.

In fact, it did cause problems. Apple released two versions of Security Update 2017-001 yesterday. The first updated High Sierra to build 17B1002, and the second to build 17B1003. (To verify that number, choose  > About This Mac and click the Version 10.13.1 line.) The second version was necessary because the first broke authentication for file sharing. We didn’t test file sharing after installing the update yesterday because the original bug didn’t affect file sharing.


If you installed Security Update 2017-001 yesterday, and your build number is 17B1002, Software Update should offer you the update again; install it manually to fix the file sharing bug and move to build 17B1003. On my iMac with build 17B1002, no automatic update took place.

For those who need a standalone installer for Security Update 2017-001, Apple has now made such a download available.

If you have a legitimate use for the root user account on your Mac, you’ll need to re-enable it and change its password in Directory Utility after installing the update. Hardly anyone should have to do this.

Why all this fuss? Although the Mac community identified the primary attack vectors on 28 November 2017 when the vulnerability was first publicized, it’s possible that there are others that are not blocked by changing the root password or disabling remote access. We have to assume that black hat hackers are already probing every possible area where this bug could provide access. That’s why it’s entirely reasonable for Apple to push the security update to all systems.

In a statement to John Gruber of Daring Fireball, Apple said:

Security is a top priority for every Apple product, and regrettably we stumbled with this release of macOS.

When our security engineers became aware of the issue Tuesday afternoon, we immediately began working on an update that closes the security hole. This morning, as of 8:00 a.m., the update is available for download, and starting later today it will be automatically installed on all systems running the latest version (10.13.1) of macOS High Sierra.

We greatly regret this error and we apologize to all Mac users, both for releasing with this vulnerability and for the concern it has caused. Our customers deserve better. We are auditing our development processes to help prevent this from happening again.

Apple deserves credit for releasing this security update in less than 24 hours after the bug was publicized on Twitter. That quick reaction time is reassuring, much as I’m sure many developers, testers, and deployment teams at Apple had a truly awful day.

But the fact that Apple could introduce a security hole the size of a truck into High Sierra is appalling. Ensuring that unauthorized users can’t act as the root user in a Unix system is basic security, because anyone who can become root can do anything they want. That the vulnerability escaped notice in Apple’s security testing is almost worse than the bug itself, and the initial release of Security Update 2017-001 breaking file sharing authentication is also distressing.

And yes, if you’ve been waiting to upgrade to High Sierra, pat yourself on the back. 10.12 Sierra and earlier versions of OS X don’t suffer from this bug.

Post a comment

TidBITS members can unsubscribe from just-published articles at http://tidbits.com/subscriptions. TidBITS Talk readers will need to create a filter to delete these articles.

Article copyright © 2017 By Adam C. Engst . Reuse governed by Creative Commons License.



____________TidBITS Talk Participation Guidelines____________
Post only when you have something substantive to contribute.
Be polite and constructive, and comment on posts, not people.
Quote sparingly, if at all. We all read the previous message.
Start threads with a new message to [hidden email].
Read archives at: http://tidbits.com/pipermail/tidbits-talk/
Unsubscribe at: http://tidbits.com/mailman/options/tidbits-talk
____Mailing List Manners: http://tidbits.com/series/1141 ____




Robert B. Tallitsch, Ph. D.  l  Professor of Biology  l  Augustana College
639 38th Street  l  Rock Island, IL 61201  l  (309) 794-3441
web page: http:www.augustana.edu/users/bitallitsch


I am a teacher. A teacher is someone who leads. 
There is no magic here. 
I do not walk on water, I do not part the sea. 
I just love my students.   
(adapted from Marva Collins)
************************************************************
Teaching is the playful search and discovery with others for 
the potential in each of them—and in me. 
(Louis Schmier)
************************************************************ 
The task of the excellent teacher is to stimulate apparently
ordinary people to unusual effort. The tough part is not in
identifying winners; it is in making winners out of ordinary people. 
************************************************************ 








____________TidBITS Talk Participation Guidelines____________
Post only when you have something substantive to contribute.
Be polite and constructive, and comment on posts, not people.
Quote sparingly, if at all. We all read the previous message.
Start threads with a new message to [hidden email].
Read archives at: http://tidbits.com/pipermail/tidbits-talk/
Unsubscribe at: http://tidbits.com/mailman/options/tidbits-talk
____Mailing List Manners: http://tidbits.com/series/1141 ____
Reply | Threaded
Open this post in threaded view
|

Re: TidBITS: Apple Pushes Updates to Block the Root Vulnerability Bug

Rodney

On Nov 30, 2017, at 22:38, Bob Tallitsch <[hidden email]> wrote:

Below you make the following statement: If you installed Security Update 2017-001 yesterday, and your build number is 17B1002, Software Update should offer you the update again; install it manually to fix the file sharing bug and move to build 17B1003.

I installed the update manually yesterday. Apple installed the update automatically today. I’m now at 17B1003.




____________TidBITS Talk Participation Guidelines____________
Post only when you have something substantive to contribute.
Be polite and constructive, and comment on posts, not people.
Quote sparingly, if at all. We all read the previous message.
Start threads with a new message to [hidden email].
Read archives at: http://tidbits.com/pipermail/tidbits-talk/
Unsubscribe at: http://tidbits.com/mailman/options/tidbits-talk
____Mailing List Manners: http://tidbits.com/series/1141 ____
Reply | Threaded
Open this post in threaded view
|

Re: TidBITS: Apple Pushes Updates to Block the Root Vulnerability Bug

adamengst
Administrator
I installed the update manually yesterday. Apple installed the update automatically today. I’m now at 17B1003.

That’s good to know - we didn’t see that happen on any of our Macs.

cheers... -Adam



____________TidBITS Talk Participation Guidelines____________
Post only when you have something substantive to contribute.
Be polite and constructive, and comment on posts, not people.
Quote sparingly, if at all. We all read the previous message.
Start threads with a new message to [hidden email].
Read archives at: http://tidbits.com/pipermail/tidbits-talk/
Unsubscribe at: http://tidbits.com/mailman/options/tidbits-talk
____Mailing List Manners: http://tidbits.com/series/1141 ____
Reply | Threaded
Open this post in threaded view
|

Re: TidBITS: Apple Pushes Updates to Block the Root Vulnerability Bug

Gaiges
In reply to this post by Rodney
This also happened to me.

On Nov 30, 2017, at 3:54 PM, Rodney <[hidden email]> wrote:


On Nov 30, 2017, at 22:38, Bob Tallitsch <[hidden email]> wrote:

Below you make the following statement: If you installed Security Update 2017-001 yesterday, and your build number is 17B1002, Software Update should offer you the update again; install it manually to fix the file sharing bug and move to build 17B1003.

I installed the update manually yesterday. Apple installed the update automatically today. I’m now at 17B1003.



____________TidBITS Talk Participation Guidelines____________
Post only when you have something substantive to contribute.
Be polite and constructive, and comment on posts, not people.
Quote sparingly, if at all. We all read the previous message.
Start threads with a new message to [hidden email].
Read archives at: http://tidbits.com/pipermail/tidbits-talk/
Unsubscribe at: http://tidbits.com/mailman/options/tidbits-talk
____Mailing List Manners: http://tidbits.com/series/1141 ____




____________TidBITS Talk Participation Guidelines____________
Post only when you have something substantive to contribute.
Be polite and constructive, and comment on posts, not people.
Quote sparingly, if at all. We all read the previous message.
Start threads with a new message to [hidden email].
Read archives at: http://tidbits.com/pipermail/tidbits-talk/
Unsubscribe at: http://tidbits.com/mailman/options/tidbits-talk
____Mailing List Manners: http://tidbits.com/series/1141 ____