TidBITS: Update Immediately to Block the Root Vulnerability Bug

classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|

TidBITS: Update Immediately to Block the Root Vulnerability Bug

TidBITS Articles
Update Immediately to Block the Root Vulnerability Bug

This article was just published by TidBITS and sent to you at your request.

Update Immediately to Block the Root Vulnerability Bug

By Adam C. Engst
http://tidbits.com/article/17651

As I predicted in “High Sierra Bug Provides Full Root Access” (28 November 2017), Apple quickly released Security Update 2017-001 to address the root vulnerability bug that enabled anyone to gain admin access without a password.


Everyone running macOS 10.13.1 High Sierra should install this security update via Software Update immediately. It does not require a restart. I know that we usually recommend caution when it comes to installing updates, but this vulnerability is so severe that the fix is more important than any trouble it could conceivably cause. That said, make sure you have a backup first!

In a statement to Daring Fireball's John Gruber, Apple said:

Security is a top priority for every Apple product, and regrettably we stumbled with this release of macOS. When our security engineers became aware of the issue Tuesday afternoon, we immediately began working on an update that closes the security hole. This morning, as of 8:00 a.m., the update is available for download, and starting later today it will be automatically installed on all systems running the latest version (10.13.1) of macOS High Sierra. We greatly regret this error and we apologize to all Mac users, both for releasing with this vulnerability and for the concern it has caused. Our customers deserve better. We are auditing our development processes to help prevent this from happening again.

Although the community identified the primary attack vectors yesterday, it’s possible that there are others that are not blocked by changing the root password or disabling remote access. We have to assume that black hat hackers are already probing every possible area where this bug could provide access.

Apple notes that after installation, the build number of macOS will be 17B1002. To verify that number, choose  > About This Mac and click the Version 10.13.1 line.


If you have a legitimate use for the root user account on your Mac, you’ll need to reenable it and change its password in Directory Utility after installing the update. Hardly anyone should have to do this.

Apple deserves credit for releasing this security update in less than 24 hours after the bug was publicized on Twitter. That quick reaction time is reassuring, much as I’m sure many developers, testers, and deployment teams at Apple had a truly awful day yesterday.

But the fact that Apple could introduce a security hole the size of a truck into High Sierra is appalling. Ensuring that unauthorized users can’t act as the root user in a Unix system is basic security, because anyone who can become root can do anything they want. That the vulnerability escaped notice in Apple’s security testing is almost worse than the vulnerability itself.

And yes, if you’ve been waiting to upgrade to High Sierra, pat yourself on the back. 10.12 Sierra and earlier versions of OS X don’t suffer from this bug.

Post a comment

TidBITS members can unsubscribe from just-published articles at http://tidbits.com/subscriptions. TidBITS Talk readers will need to create a filter to delete these articles.

Article copyright © 2017 By Adam C. Engst . Reuse governed by Creative Commons License.




____________TidBITS Talk Participation Guidelines____________
Post only when you have something substantive to contribute.
Be polite and constructive, and comment on posts, not people.
Quote sparingly, if at all. We all read the previous message.
Start threads with a new message to [hidden email].
Read archives at: http://tidbits.com/pipermail/tidbits-talk/
Unsubscribe at: http://tidbits.com/mailman/options/tidbits-talk
____Mailing List Manners: http://tidbits.com/series/1141 ____
Reply | Threaded
Open this post in threaded view
|

Re: TidBITS: Update Immediately to Block the Root Vulnerability Bug

Alan Forkosh
Note that the update is not in the Version 5 10.13.2 Beta (I installed it  last night). If you have that Beta installed, follow the previous instructions to manually enable the root user. I’m pretty sure that the fix will be incorporated into the next Beta release.

Alan Forkosh                    Oakland, CA
[hidden email]
http://al4kosh.com



>




____________TidBITS Talk Participation Guidelines____________
Post only when you have something substantive to contribute.
Be polite and constructive, and comment on posts, not people.
Quote sparingly, if at all. We all read the previous message.
Start threads with a new message to [hidden email].
Read archives at: http://tidbits.com/pipermail/tidbits-talk/
Unsubscribe at: http://tidbits.com/mailman/options/tidbits-talk
____Mailing List Manners: http://tidbits.com/series/1141 ____
Reply | Threaded
Open this post in threaded view
|

Re: TidBITS: Update Immediately to Block the Root Vulnerability Bug

Jerome King-2
In reply to this post by TidBITS Articles
I have installed the security update on my iMac.  (A late 2013 iMac) and the version number does NOT appear

The app store indicates that the update was installed

So it might be not all Macs will see the version number confirmation

Jerry



On Nov 29, 2017, at 12:56 PM, TidBITS Articles <[hidden email]> wrote:

Apple notes that after installation, the build number of macOS will be 17B1002. To verify that number, choose  > About This Mac and click the Version 10.13.1 line.






____________TidBITS Talk Participation Guidelines____________
Post only when you have something substantive to contribute.
Be polite and constructive, and comment on posts, not people.
Quote sparingly, if at all. We all read the previous message.
Start threads with a new message to [hidden email].
Read archives at: http://tidbits.com/pipermail/tidbits-talk/
Unsubscribe at: http://tidbits.com/mailman/options/tidbits-talk
____Mailing List Manners: http://tidbits.com/series/1141 ____
Reply | Threaded
Open this post in threaded view
|

Re: TidBITS: Update Immediately to Block the Root Vulnerability Bug

adamengst
Administrator
I have installed the security update on my iMac.  (A late 2013 iMac) and the version number does NOT appear

Did you click where the screenshot has the red box? You only get the build number after clicking that Version line.

cheers... -Adam



____________TidBITS Talk Participation Guidelines____________
Post only when you have something substantive to contribute.
Be polite and constructive, and comment on posts, not people.
Quote sparingly, if at all. We all read the previous message.
Start threads with a new message to [hidden email].
Read archives at: http://tidbits.com/pipermail/tidbits-talk/
Unsubscribe at: http://tidbits.com/mailman/options/tidbits-talk
____Mailing List Manners: http://tidbits.com/series/1141 ____
Reply | Threaded
Open this post in threaded view
|

Re: TidBITS: Update Immediately to Block the Root Vulnerability Bug

Jim Bunnell
In reply to this post by Jerome King-2
I had the same thing happen. Restarted and version number changed.  

Sent from my iPad

On Nov 29, 2017, at 2:40 PM, Jerome King <[hidden email]> wrote:

I have installed the security update on my iMac.  (A late 2013 iMac) and the version number does NOT appear

The app store indicates that the update was installed

So it might be not all Macs will see the version number confirmation

Jerry



On Nov 29, 2017, at 12:56 PM, TidBITS Articles <[hidden email]> wrote:

Apple notes that after installation, the build number of macOS will be 17B1002. To verify that number, choose  > About This Mac and click the Version 10.13.1 line.





____________TidBITS Talk Participation Guidelines____________
Post only when you have something substantive to contribute.
Be polite and constructive, and comment on posts, not people.
Quote sparingly, if at all. We all read the previous message.
Start threads with a new message to [hidden email].
Read archives at: http://tidbits.com/pipermail/tidbits-talk/
Unsubscribe at: http://tidbits.com/mailman/options/tidbits-talk
____Mailing List Manners: http://tidbits.com/series/1141 ____



____________TidBITS Talk Participation Guidelines____________
Post only when you have something substantive to contribute.
Be polite and constructive, and comment on posts, not people.
Quote sparingly, if at all. We all read the previous message.
Start threads with a new message to [hidden email].
Read archives at: http://tidbits.com/pipermail/tidbits-talk/
Unsubscribe at: http://tidbits.com/mailman/options/tidbits-talk
____Mailing List Manners: http://tidbits.com/series/1141 ____
Reply | Threaded
Open this post in threaded view
|

Re: TidBITS: Update Immediately to Block the Root Vulnerability Bug

Jerome King-2
In reply to this post by adamengst
no I hadn’t.  Didn’t know that was required

the version number appeared

So much to know, so little time to learn

Jerry

On Nov 29, 2017, at 4:17 PM, Adam Engst <[hidden email]> wrote:

I have installed the security update on my iMac.  (A late 2013 iMac) and the version number does NOT appear

Did you click where the screenshot has the red box? You only get the build number after clicking that Version line.

cheers... -Adam


____________TidBITS Talk Participation Guidelines____________
Post only when you have something substantive to contribute.
Be polite and constructive, and comment on posts, not people.
Quote sparingly, if at all. We all read the previous message.
Start threads with a new message to [hidden email].
Read archives at: http://tidbits.com/pipermail/tidbits-talk/
Unsubscribe at: http://tidbits.com/mailman/options/tidbits-talk
____Mailing List Manners: http://tidbits.com/series/1141 ____




____________TidBITS Talk Participation Guidelines____________
Post only when you have something substantive to contribute.
Be polite and constructive, and comment on posts, not people.
Quote sparingly, if at all. We all read the previous message.
Start threads with a new message to [hidden email].
Read archives at: http://tidbits.com/pipermail/tidbits-talk/
Unsubscribe at: http://tidbits.com/mailman/options/tidbits-talk
____Mailing List Manners: http://tidbits.com/series/1141 ____