A critical patch for a vulnerability in Apple’s macOS High Sierra may not be properly applied if a user also updates the system software.
The vulnerability, which was made public on Nov. 28, could allow a malicious user to bypass authentication dialogs and even potentially acquire root system privileges. Apple released the High Sierra patch the following day, but users have reported the patch being undone depending on system updates that were applied.
According to many users on Twitter — and first reported by Wired — if the Apple system was running macOS 10.13.0 and not the newer 10.13.1 version, the High Sierra patch would be undone after the system update was applied. Additionally, reinstalling the High Sierra patch after the system update would require a reboot to properly apply the fix, but users were not getting the notification that a restart was necessary.
Apple has since updated its patch notes to include these issues: “If you recently updated from macOS High Sierra 10.13 to 10.13.1, reboot your Mac to make sure the Security Update is applied properly.”
MacLemon, a Mac sysadmin and independent security researcher, said the system update downgrading the High Sierra patch shouldn’t be surprising.
MacLemonMac sysadmin and independent security researcher
“It’s mostly expected that an older update installed over a newer system downgrades components. The failure here is that Apple doesn’t show the Security Update 2017-001 again after reinstalling 10.13.1,” MacLemon told SearchSecurity via Twitter Direct Message. “It’s part of Apple’s growing carelessness for the Mac in general. Since they changed the development process to release on time instead of when done Mac OS X/OS X/macOS quality and stability has been in steady decline. Banana software shipped green that ripens at the customer.”
Because of the confusion surrounding the High Sierra patch and the macOS update, users may not know if the patch was applied properly and whether or not they are protected against the root password flaw, as Marc Rogers, head of SecOps for DefCon and head of infosec for Cloudflare, said on Twitter.
Well done @apple By not incrementing patch numbers to hide the fact you messed up first root bug patch and now messing up that patch we have no way of telling who is impacted and who isn’t other than manual checks. https://t.co/CecU4AhUjJ #innovation
— Marc Rogers (@marcwrogers)
December 2, 2017
Experts suggested checking for software updates and ensuring systems have been rebooted.
Root passwords and the High Sierra patch
When the High Sierra root flaw was first announced, an early suggestion from experts was to create a password for the root user. However, MacLemon noted this could cause security issues as well.
For those who hastily set a root password to mitigate the macOS High Sierra root login security issue:
You’ll forget to turn off that bad root password once the issue is fixed and you have installed a patch.
Many Macs will have weak root passwords for years to come.#onlyApple
— MacLemon (@MacLemon)
November 29, 2017
Additionally, Adam Nichols, principal of software security at Grimm, said creating this password would not be a full fix anyway.
Fun fact: manually disabling the root account once it was enabled by the recent MacOS auth bug mitigated the bug on the login screen, but it did not mitigate it via VNC. In other words VNC would keep re-enableing the account while the login screen would not. Patch fixed that too
— ☣Adam (@AdamOfDc949)
November 30, 2017