Security Market Segment LS
Tuesday, 05 December 2017 11:39

Apple bid to fix root login bug looks like comedy of errors


Apple's attempts to fix a bug in its macOS operating system that allowed a user to log in as root without a password appear to have turned into a comedy of errors.

A blog post by security firm Malwarebytes said that the first fix issued to fix the problem resulted in file-sharing being turned off. This fix was named Security Update 2017-001.

Given the severity of the original bug, the update was pushed out automatically for both macOS 10.13.0 and 10.13.1.

Apple then released a technical explanation about the file-sharing issue and re-issued a fix, again labelled Security Update 2017-001.

"Yup, that’s a second Security Update 2017-001, not Security Update 2017-002. Thus, people who had already installed Security Update 2017-001 found themselves wondering why they had to install it again," said Malwarebytes researcher Thomas Reed.

"Fortunately, again, the update was automatic. So if you didn’t do it manually, your confusion wasn’t going to keep you from getting the update."

But the confusion did not end there. The security update could be applied to both 10.13.0 and 10.13.1. But anyone who had the patch applied to 10.13.0 and then updated to 10.13.1 found that the first bug — allowing root access without a password — surfaced again.

Anyone who assumed that since the patch existed for 10.13.1 too, it would be applied automatically again, was in for a nasty surprise, Reed said.

Even if that took place, users were still vulnerable to the original bug unless they restarted their machines.

"Since the update doesn’t require a restart, and since many Mac users can be rather averse to restarting, this means that people upgrading from 10.13.0 to 10.13.1 could easily end up being vulnerable to this bug for weeks or months, until they next decide to restart," Reed said.

He said over the weekend, Apple released a fix and added a mention of the problem to their notes on Security Update 2017-001.

"Rather than releasing yet another iteration of Security Update 2017-001, Apple added a fix to the MRT application. MRT, which stands for Malware Removal Tool, is not something Apple talks about, and little is known about exactly how it works," Reed noted.

"If you’re wondering why Apple would release a fix for this bug in MRT, that’s an excellent question. It doesn’t seem to make much sense and feels a bit like a hack to me. My guess is that MRT was something that could be easily and quietly updated, so that’s what they did."


26-27 February 2020 | Hilton Brisbane

Connecting the region’s leading data analytics professionals to drive and inspire your future strategy

Leading the data analytics division has never been easy, but now the challenge is on to remain ahead of the competition and reap the massive rewards as a strategic executive.

Do you want to leverage data governance as an enabler?Are you working at driving AI/ML implementation?

Want to stay abreast of data privacy and AI ethics requirements? Are you working hard to push predictive analytics to the limits?

With so much to keep on top of in such a rapidly changing technology space, collaboration is key to success. You don't need to struggle alone, network and share your struggles as well as your tips for success at CDAO Brisbane.

Discover how your peers have tackled the very same issues you face daily. Network with over 140 of your peers and hear from the leading professionals in your industry. Leverage this community of data and analytics enthusiasts to advance your strategy to the next level.

Download the Agenda to find out more


Sam Varghese

website statistics

Sam Varghese has been writing for iTWire since 2006, a year after the site came into existence. For nearly a decade thereafter, he wrote mostly about free and open source software, based on his own use of this genre of software. Since May 2016, he has been writing across many areas of technology. He has been a journalist for nearly 40 years in India (Indian Express and Deccan Herald), the UAE (Khaleej Times) and Australia (Daily Commercial News (now defunct) and The Age). His personal blog is titled Irregular Expression.



Recent Comments