When a company like Apple rushes out a software patch for a critical security bug, it deserves praise for protecting its customers quickly. Except, perhaps, when that patch is so rushed that it's nearly as buggy as the code it was designed to fix.
Earlier this week, Apple scrambled to push out a software update for macOS High Sierra, to sew up a glaring hole in the operating system's security measures: When any person or malicious program tried to log into a Mac computer, install software, or change settings, and thus hit a prompt for a username and password, they could simply enter "root" as a username, no password, and bypass the prompt to gain full access to the computer. Apple's initial patch came out about a 18 hours after the bug was first reported.
But now multiple Mac users have confirmed to WIRED that Apple's fix for that problem has a serious glitch of its own. Those who had not yet upgraded their operating system from the original version of High Sierra, 10.13.0, to the most recent version, 10.13.1, but had downloaded the patch, say the "root" bug reappears when they install the most recent macOS system update. And worse, two of those Mac users say they've also tried re-installing Apple's security patch after that upgrade, only to find that the "root" problem still persists until they reboot their computer, with no warning that a reboot is necessary.
"It’s really serious, because everyone said 'hey, Apple made a very fast update to this problem, hooray,'" says Volker Chartier, a software engineer at German energy firm Innogy who was the first to alert WIRED to the issue with Apple's patch. "But as soon as you update [to 10.13.1], it comes back again and no one knows it."
Even if a Mac user knew to reinstall the security patch after they upgraded High Sierra—and in fact, Apple would eventually install that update automatically, as it has for other users affected by the "root" bug—they could still be left vulnerable, says Thomas Reed, an Apple-focused researcher at security firm MalwareBytes. After Reed confirmed that 10.13.1 reopened the "root" bug, he again installed Apple's security fix for the problem. But he found that, until he rebooted, he could even then type "root" without a password to entirely bypass High Sierra's security protections.
"I installed the update again from the App Store, and verified that I could still trigger the bug. That is bad, bad, bad," says Reed. "Anyone who hasn't yet updated to 10.13.1, they’re now in the pipeline headed straight for this issue."
Mac administrator Chris Franson, a technical director at Northeastern University, tells WIRED that he repeated that sequence of events and found that the "root" bug persisted, too. But he noted that rebooting the computer—after updating to 10.13.1 and then re-installing the security fix—did cause the security update to finally kick in and resolve the issue, which MalwareBytes' Reed confirmed. They both note, however, that Apple's security update doesn't tell users to reboot after installing it. "You could easily have someone who doesn't reboot their computer for months," says Reed. "That's not a good thing."
WIRED reached out to Apple about the flaws in its patch, but hasn't yet heard back. On Monday, the company added an extra warning to its security update page for the "root" bug: "If you recently updated from macOS High Sierra 10.13 to 10.13.1, reboot your Mac to make sure the Security Update is applied properly."1
The bug in Apple's bug-fix isn't, of course, as bad as its original "root" problem. For one, it's not clear how many High Sierra users might have installed the security patch before upgrading to the most recent version of the operating system, or even if everyone who did so is affected. Even among those who were affected, many likely have rebooted their computers, which should leave them protected.
But the shoddiness of Apple's patch joins a disturbing pattern of security missteps in High Sierra's code. Apple had already issued a rare apology for the "root" security flaw, writing that its "customers deserve better" and promising to audit its development practices to prevent similar bugs in the future. And even before that most recent bug blowup, researchers had already shown—on the day of the operating system's launch no less—that malicious code running on the operating system could steal the contents of its keychain without a password. Another facepalm-worthy bug displayed the user's password as a password hint when someone tries to unlock an encrypted partition on their machine known as an APFS container.
Even the fix for this week's "root" bug has already hit snafus before this more serious one presented itself. The first version of Apple's patch broke some file-sharing functions on High Sierra, requiring Apple to put out a second version. Now Apple may have to reissue the "root" patch yet again, says MalwareBytes' Reed.
"Anyone rushing a patch like this could very easily make a mistake," Reed says. "But the big question going around now is, what is Apple’s quality assurance [team] for Mac doing? I don’t know what’s going on that these bugs could have slipped past."
This post has been updated to include Apple's addition to its security page detailing the patch.
