Recently, Mac computers were reported to be facing, what is referred to as the “root” issue bug. With the bug in the operating system, any person or malicious program that tried to log into a Mac computer, or install software, or even change settings, could do that by simply entering root as username on the prompt, and they were able to bypass the prompt to gain full access to the computer.
— Lemi Orhan Ergin (@lemiorhan) November 28, 2017
No password required. Just 18 hours (which was last week) of the bug being reported, Apple rolled out a patch to fix the issue. However, as Wired reports, Apple’s fix for that problem has a serious glitch of its own. Reportedly, users who had “not yet upgraded their operating system from the original version of High Sierra 10.13.0, to the most recent version 10.13.1, but had downloaded the patch, say the “root” bug reappears when they install the most recent macOS system update.
And worse, two of those Mac users say they’ve also tried re-installing Apple’s security patch after that upgrade, only to find that the “root” problem still persists until they reboot their computer, with no warning that a reboot is necessary.”
According to Thomas Reed, an Apple-focused researcher at security firm MalwareBytes (via Wired), even if a Mac user instinctively reinstalled the security patch after they upgraded High Sierra, they could still be left vulnerable.
That patch Apple rushed out for its "root" security flaw? Three people tell me the fix is silently broken again if you upgrade to High Sierra 10.13.1. https://t.co/nrFhLwPQJ6 Even if you install the patch again afterward, they say bug STILL persists until you reboot.
— Andy Greenberg (@a_greenberg) December 1, 2017
After Reed confirmed that 10.13.1 reopened the “root” bug, he again installed Apple’s security fix for the problem. But he found that, until he rebooted, he could even then type “root” without a password to entirely bypass High Sierra’s security protections.
“I installed the update again from the App Store, and verified that I could still trigger the bug. That is bad, bad, bad,” says Reed. “Anyone who hasn’t yet updated to 10.13.1, they’re now in the pipeline headed straight for this issue.”
In simpler words, while the security fix is buggy, researchers confirm that after updating to 10.13.1 and then re-installing the security fix, the security update dies finally kick in and resolve the issue, however, Apple gives no such instruction on the update, leaving the users who do not go through the re-installung process, still vulnerable.