Apple found itself rather red-faced last week when it was discovered that the root account of macOS High Sierra was accessible without a password. Yep, that’s quite the security blunder. The company responded quickly with a patch, unfortunately, it turns out that patch can be overridden by macOS’ normal update process.
WIRED’s Andy Greenberg was contacted by “multiple Mac users” who discover that updating from High Sierra 10.13.0 to 10.13.1 would remove the fix, if had been applied previously:
Those who had not yet upgraded their operating system from the original version of High Sierra, 10.13.0, to the most recent version, 10.13.1, but had downloaded the patch, say the “root” bug reappears when they install the most recent macOS system update. And worse, two of those Mac users say they’ve also tried re-installing Apple’s security patch after that upgrade, only to find that the “root” problem still persists until they reboot their computer, with no warning that a reboot is necessary.
That’s not great. Apple has yet to do anything to address the problem, other than adding the following caveat to the patch’s security advisory:
If you recently updated from macOS High Sierra 10.13 to 10.13.1, reboot your Mac to make sure the Security Update is applied properly.
It’s good practise to reboot after applying updates to any operating system, but it’s certainly not a widespread habit. Hopefully Apple takes further steps to tie up this whole root password thing before something else goes awry.