Apple SNAFU means updating to macOS 10.13.1 could reactivate root access bug
A few days ago, a serious security flaw with macOS High Sierra came to light. It was discovered that it was possible to log into the "root" account without entering a password, and -- although the company seemed to have been alerted to the issue a couple of weeks back -- praise was heaped on Apple for pushing a fix out of the door quickly.
But calm those celebrations. It now transpires that the bug fix has a bug of its own. Upgrade to macOS 10.13.1 and you could well find that the patch is undone. Slow hand clap.
See also:
- Security: macOS High Sierra bug lets you log in as 'root'... without a password
- Apple expeditiously patches embarrassing macOS High Sierra security bug, thereby regaining my trust
Numerous users have confirmed to Wired that Apple's hastily rolled out bug fix is far from flawless itself. It seems that Apple was predicting a particular order in which users would do things, and this assumption means the original problem can be reintroduced. If you had upgraded to macOS High Sierra 10.13.1 and then installed the patch you should be fine -- but not everyone has done this.
If you had yet to upgrade to the very latest version of High Sierra -- that is, you were running 10.13.0 -- and you install the patch and THEN upgraded to 10.13.1, the "root" access bug rears its head once again. Other people have complained that even if they have upgraded to 10.13.1 before installing the patch, there is no notification that a reboot is required to finish the installation, and therefore the problem remains.
The solution is a simple one -- but one that has not been made sufficiently clear by Apple. In order to avoid problems, you need to make sure that you've upgraded to High Sierra 10.13.1, then install the patch and then reboot your computer.
If you installed the patch in 10.13.0 and then upgraded to 10.13.1, you'll need to reinstall the patch and reboot.
Apple had added a note to its support pages making this clearer.