As we reported on Wednesday, developer Lemi Ergin discovered a massive security vulnerability in macOS High Sierra that would allow anyone with direct physical (or remote access) to a Mac to bypass administrator authentication and login without even supplying a password. The steps needed to successfully take advantage of this vulnerability were incredibly easy:
- Open System Preferences
- Click Users & Groups
- Click the lock for changes
- Type "root" into the username field
- Leave the password field blank
- Click unlock
Once this latest software blunder was brought to Apple's attention, it published a new support document to walk users through some [relatively] simple steps to repair file sharing. As of now, there is no software patch to fix the file sharing screw-up for everyday macOS users that may be uneasy about messing around in Terminal.
You'd think that would be the end of Apple's software troubles for this week, but you'd be wrong. A new report from Wired has revealed that users who were still on macOS High Sierra 10.13 -- and installed the rushed security patch for the root exploit -- saw the effects of the patch completely undone by upgrading to macOS High Sierra 10.13.1.
"It’s really serious, because everyone said 'hey, Apple made a very fast update to this problem, hooray,'" Innogy software engineer Volker Chartier in a statement to Wired. "But as soon as you update [to 10.13.1], it comes back again and no one knows it."
"I installed the update again from the App Store, and verified that I could still trigger the bug. That is bad, bad, bad," said MalwareBytes researcher Thomas Reed. "Anyone who hasn't yet updated to 10.13.1, they’re now in the pipeline headed straight for this issue."
Apparently, the only way to truly solve the problem for users that were "late" to update to the newest version of macOS High Sierra is to install 10.13.1, reboot, then install the root security update.
While things were bad enough on the macOS side of things, iOS wasn't immune to software buggery this week. It was revealed that some iPhone users running iOS 11.1.1 or 11.1.2 were seeing their devices soft reset today (December 2nd) after 12:15am. According to reports, the issue stemmed from apps set to deliver daily or repeat notifications would max out the CPU and cause the device to soft reset.
As a result, Apple pushed out iOS 11.2 earlier this morning to squash the bug. Apple doesn't typically release major software updates over the weekend (they usually come out on Tuesdays at 1PM EST), but this soft reset bug forced the company's hand.