Apple’s quick patch for the recently discovered “root” user bug can be undone by upgrading to macOS 10.13.1.
According to a Wired report on Friday, multiple users have confirmed that upgrading from macOS 10.13.0 High Sierra to the latest version 10.13.1, released at the end of October, disables Apple’s security patch for the root user login flaw.
In particular, users running macOS 10.13.0 who downloaded and installed the security update released on Wednesday say the root bug reappears after upgrading to macOS 10.13.1. To make matters even worse, two people who attempted to reinstall the patch after upgrading to macOS 10.13.1 say the root login bug persists until the device is rebooted. However, Apple’s official documentation does not say a reboot is required to install the patch.
In a statement, MalwareBytes security researcher Thomas Reed said:
“I installed the update again from the App Store, and verified that I could still trigger the bug. That is bad, bad, bad. Anyone who hasn’t yet updated to 10.13.1, they’re now in the pipeline headed straight for this issue.”
Reed also noted that a lot of Mac owners will go months at a time before restarting their computers, meaning that the bug could linger.
Earlier this week a bug was discovered that allows anyone to log in to a Mac running High Sierra as its “root” System Administrator, without first requiring a password. Within 24 hours, Apple pushed out Security Update 2017-001 patch via the Mac App Store.
However, the patch introduced its own problems as users had issues authenticating or connecting to file shares on their Mac. Apple quickly posted a Terminal-based fix to its support pages before reissuing the security patch with a permanent solution a few hours later.
While this issue is not as damaging as the original root user bug, the glitch in Apple’s security patch is unusually sloppy for the tech giant.