Archive for December 4, 2017

#Fail: Upgrading To macOS 10.13.1 Can Undo Fix For Epic Security Vulnerability

Posted in Commentary with tags on December 4, 2017 by itnerd

Betanews among others are reporting that the emergency patch that was released last week to fix this epic security flaw can easily be undone:

Numerous users have confirmed to Wired that Apple’s hastily rolled out bug fix is far from flawless itself. It seems that Apple was predicting a particular order in which users would do things, and this assumption means the original problem can be reintroduced. If you had upgraded to macOS High Sierra 10.13.1 and then installed the patch you should be fine — but not everyone has done this.

If you had yet to upgrade to the very latest version of High Sierra — that is, you were running 10.13.0 — and you install the patch and THEN upgraded to 10.13.1, the “root” access bug rears its head once again. Other people have complained that even if they have upgraded to 10.13.1 before installing the patch, there is no notification that a reboot is required to finish the installation, and therefore the problem remains.

The solution is simple enough which is to reinstall the patch after upgrading from 10.13 to 10.13.1. It’s outlined in this support document which was modified to make this clearer. But who checks this sort of thing before they upgrade? Nobody does. In my mind, what should have happened is that anyone who downloads 10.13.1 should get the emergency patch included. Thus you wouldn’t have to think about it. But it is possible that with 10.13.2, which now has this patch included as of the last beta, is due to be released as early as this week, Apple might have figured that this was likely not that big of a deal.

Having said all of that, I do have a question. How was this not caught in Apple’s QA process? Creating a test case around this scenario would not have been hard. And maybe Apple could have tweaked things to stop this scenario from happening. Of course I am assuming that this is a bug rather than a willful decision on the part of Apple. I’m sure that we’re unlikely to get any clarification from the folks at Apple Park on this which is a shame as some transparency given last week’s events would be welcome right about now.

Advertisements