It seems Apple is determined to make it super-easy for MacOS users to be casually hacked by passersby. We wrote recently of a MacOS High Sierra bug (or is it just pure negligence) which meant the OS shipped without a root password, meaning anyone could walk past your locked Mac laptop, casually log in and reformat your hard drive, amongst other nefarious things.
Apple rushes out a patch, with rush being the operative word. Not only did the patch break some file-sharing functions on High Sierra, causing Apple to re-issue another patch, but now it appears simply updating the OS undoes the patch, leaving users vulnerable again.
Wired reports that those who had not yet upgraded their operating system from the original version of High Sierra, 10.13.0, to the most recent version, 10.13.1, but had downloaded the patch, say the “root” bug reappears when they install the most recent macOS system update. This means users may believe they are protected but they are not.
Worse, if users do re-install the patch (or if it is eventually re-installed automatically) it is not activated until a reboot (which for laptop users may be weeks to months) and the app offers no prompt to ensure users do reboot after its application.
“It’s really serious, because everyone said ‘hey, Apple made a very fast update to this problem, hooray,'” says Volker Chartier, a software engineer at German energy firm Innogy who was the first to alert WIRED to the issue with Apple’s patch. “But as soon as you update [to 10.13.1], it comes back again and no one knows it.”
“I installed the update again from the App Store, and verified that I could still trigger the bug. That is bad, bad, bad,” says Thomas Reed, researcher at security firm MalwareBytes. “Anyone who hasn’t yet updated to 10.13.1, they’re now in the pipeline headed straight for this issue.”
The root password problems follow a litany of other issues which PC users may not have heard off, including displaying the user’s password as a password hint when someone tries to unlock an encrypted partition on their machine known as an APFS container and allowing malware to easily steal users the contents of user’s keychain without a password.
“..the big question going around now is, what is Apple’s quality assurance [team] for Mac doing?” said Malwarebytes’ Thomas Reed. “I don’t know what’s going on that these bugs could have slipped past.”
Apple has said “customers deserve better”, and we can only suggest now may be the time to give Windows a try…