Security Market Segment LS
Tuesday, 05 December 2017 11:39

Apple bid to fix root login bug looks like comedy of errors


Apple's attempts to fix a bug in its macOS operating system that allowed a user to log in as root without a password appear to have turned into a comedy of errors.

A blog post by security firm Malwarebytes said that the first fix issued to fix the problem resulted in file-sharing being turned off. This fix was named Security Update 2017-001.

Given the severity of the original bug, the update was pushed out automatically for both macOS 10.13.0 and 10.13.1.

Apple then released a technical explanation about the file-sharing issue and re-issued a fix, again labelled Security Update 2017-001.

"Yup, that’s a second Security Update 2017-001, not Security Update 2017-002. Thus, people who had already installed Security Update 2017-001 found themselves wondering why they had to install it again," said Malwarebytes researcher Thomas Reed.

"Fortunately, again, the update was automatic. So if you didn’t do it manually, your confusion wasn’t going to keep you from getting the update."

But the confusion did not end there. The security update could be applied to both 10.13.0 and 10.13.1. But anyone who had the patch applied to 10.13.0 and then updated to 10.13.1 found that the first bug — allowing root access without a password — surfaced again.

Anyone who assumed that since the patch existed for 10.13.1 too, it would be applied automatically again, was in for a nasty surprise, Reed said.

Even if that took place, users were still vulnerable to the original bug unless they restarted their machines.

"Since the update doesn’t require a restart, and since many Mac users can be rather averse to restarting, this means that people upgrading from 10.13.0 to 10.13.1 could easily end up being vulnerable to this bug for weeks or months, until they next decide to restart," Reed said.

He said over the weekend, Apple released a fix and added a mention of the problem to their notes on Security Update 2017-001.

"Rather than releasing yet another iteration of Security Update 2017-001, Apple added a fix to the MRT application. MRT, which stands for Malware Removal Tool, is not something Apple talks about, and little is known about exactly how it works," Reed noted.

"If you’re wondering why Apple would release a fix for this bug in MRT, that’s an excellent question. It doesn’t seem to make much sense and feels a bit like a hack to me. My guess is that MRT was something that could be easily and quietly updated, so that’s what they did."


Australia is a cyber espionage hot spot.

As we automate, script and move to the cloud, more and more businesses are reliant on infrastructure that has high potential to be exposed to risk.

It only takes one awry email to expose an accounts payable process, and for cyber attackers to cost a business thousands of dollars.

In the free white paper ‘6 steps to improve your Business Cyber Security’ you will learn some simple steps you should be taking to prevent devastating malicious cyber attacks from destroying your business.

Cyber security can no longer be ignored, in this white paper you will learn:

· How does business security get breached?
· What can it cost to get it wrong?
· 6 actionable tips



iTWire can help you promote your company, services, and products.


Advertise on the iTWire News Site / Website

Advertise in the iTWire UPDATE / Newsletter

Promote your message via iTWire Sponsored Content/News

Guest Opinion for Home Page exposure

Contact Andrew on 0412 390 000 or email [email protected]


Sam Varghese

website statistics

Sam Varghese has been writing for iTWire since 2006, a year after the site came into existence. For nearly a decade thereafter, he wrote mostly about free and open source software, based on his own use of this genre of software. Since May 2016, he has been writing across many areas of technology. He has been a journalist for nearly 40 years in India (Indian Express and Deccan Herald), the UAE (Khaleej Times) and Australia (Daily Commercial News (now defunct) and The Age). His personal blog is titled Irregular Expression.



Recent Comments