
MacOS Update Accidentally Undoes Apple's “root” Bug Patch - platinumrad
https://www.wired.com/story/macos-update-undoes-apple-root-bug-patch/
======
bsaul
I feel weird reading comments here ranging from excusing the developer to
blaming him, for its lack of unit testing or anything. Let’s make this clear :
management fcked up badly. Human process. Not code, not unit testing, not a
single line of code is responsible. And you know why ? Because when you’ve had
the greatest security failure in a decade publicly shaming your company and
your team, you _personaly make sure it doesn’t happen again in the next
release_.

And it’s not just one manager. The whole management is screwed, it’s a
disaster. I think now is really time to say : would you imagine this happening
under steve jobs ?

~~~
dsacco
_> Because when you’ve had the greatest security failure in a decade_

It's nowhere close to the greatest security failure in a decade. It's not even
a contender in the far off distance. It's a well publicized vulnerability, and
it's quite silly, but in the scheme of things it's just a Tuesday for CVE
writers. We even had a vulnerability functionally identical to this, and
similar in both severity and silliness, hit Linux within the past year.

If you're talking about Apple specifically, it's still not that bad. The
vulnerability couldn't be arbitrarily executed remotely with default OS
settings, and it didn't grant kernel access. The Trident flaws were
significantly worse than this, and that's just the first that comes to mind.

Yes, yes, I know this wasn't the thrust of your point...but still. People get
kind of hyperbolic when it comes to rating security vulnerabilities. It's more
silly than it is severe. I expect at least one vulnerability of comparable
impact on every major point release of every major operating system and web
browser (not that this is a good thing, but it's logistically realistic). I
don't think this is particularly bad for Apple's public image or reputation.
Headlines about "the sky is falling!" vulnerabilities make the rounds every so
often; for better or worse, it never really seems to stick in public
consciousness.

~~~
bsaul
because it doesn’t provide remote access, you’re right. But it’s been released
publicly before there was a patch available, on an OS that’s only used as a
personal computer, not as a server. And is immediately exploitable by just
anyone, with 0 technical background. I think that makes it a very big deal, no
matter what CVE usually use for a scale. I also don’t remember any macOS
security breach getting that much publicity.

~~~
dsacco
I agree it's a big deal, in that it's serious - it's a security vulnerability
after all, yes. But I disagree about its significance for Apple in the face of
the sheer number of security advisories that come out across iOS and macOS
each year. When we broaden perspective away from just Apple, this becomes
absolutely miniscule. There's a lot of navel gazing going on, but there's not
a lot of reason to read anything particular out of this at all.

It's very silly, and I would also be embarrassed if I was involved in it, but
those aren't good metrics for judging the realistic frequency of bugs like
this, nor their severity. I've had vulnerabilities I've reported picked up by
a bunch of news media before even though they weren't that serious. As it
turns out, the media just latches on to security headlines, and everyone sort
of forgets about it except us grumblers on Hacker News, because we Never
Forget.

Someone from Google Project Zero has probably been inspired to start fuzzing
the macOS at the UI level now, and that's a good thing - they should. But
that's about all I'm taking away from this story.

Moreover:

 _> on an OS that’s only used as a personal computer, not as a server_

This makes it less severe, not more so. I'd rather have a Heartbleed impacting
nearly every server on the internet than a...whatever we're calling this,
impacting every macOS computer in the world. I guess I can make a
botnet...except I still have to be local to it in the majority of cases, or do
specific targeting, or chain this with another piece of popular, compromised
software, etc. It suddenly becomes a bit more complex than just someone
pressing enter on a root prompt twice. Plus, if the vulnerability is laughably
silly, it's usually easier to find than a chain of them that evidences a
systemic misconfiguration in the entire OS.

In fact, I'd posit that the reason this story is getting so much attention is
precisely because the vulnerability is so easy to understand, and because
someone disclosed it on Twitter. Frankly, the whole situation is really quite
funny in a black comedy sort of way. But while it's fun to write stories
poking fun at large companies for their silly mistakes, it doesn't
meaningfully reflect their security competency or the long term perception of
their security competency.

Really I don't mean to trivialize it. It's not a good look, and definitely
it's worthy of being patched. But I think it's worth looking at from a much
broader perspective.

~~~
toyg
_> > on an OS that’s only used as a personal computer, not as a server_

 _> This makes it less severe, not more so._

You are looking at it from the perspective of a seasoned security
professional. It's like looking at the terrorist attack in Nice from a
military point of view and saying "eh, this was just a guy on a lorry; it's
much more difficult to raid Osama in the middle of Pakistan". That might well
be, but this does not matter to the general public - to them, concepts like
"botnets" are immaterial, whereas Slippin' Jimmy entering their macbooks to
read their emails while they're sleeping is _very_ real.

In that sense, the impact here was bigger than any other security hole ever
experienced on the Mac.

~~~
9935c101ab17a66
I don't really think your analogy is all that apt, but anyway, it just serve's
to reinforce dsacco's point: there may have been a lot of fuss over this, but
in terms of actual impact, this was negligible.

------
platinumrad
I've been struggling for a long time to convince some of my less technical
friends that keeping all of the software on their devices up to date is an
important best practice from a security perspective. I'm afraid that the
recent muck ups in High Sierra and iOS 11 are going to make sure that some of
them never listen to me ever again.

~~~
IBM
I have a hard time believing that your less technical friends are even
following Apple news. The average person that walks into an Apple store and
buys a Mac probably has no idea about the original vulnerability, let alone
the multiple patches for it.

~~~
et-al
The average person that updated their iOS to 11 during the first two weeks has
definitely noticed how bug-ridden it is with power issues, 3D touch issues,
and the autocorrect bug.

We've trained people to update ASAP for security reasons, but when Apple drops
the ball and seriously fucks up iOS 11 for a month until 11.1.1 was released,
this will keep users update-shy.

I hope 2018 emphasises rock-solid releases for both macOS & iOS. Or Apple
should move to a two-year release cycle (wishful thinking).

~~~
hrez
There is still unfixed IOS 11 introduced bug [1] that kills notification
screen which requires powercycle to fix. Some users hit it multiple times a
day.

[1]
[https://discussions.apple.com/message/32638979?ac_cid=tw1234...](https://discussions.apple.com/message/32638979?ac_cid=tw123456#32638979)

------
jarym
Generally I’ve noticed more bugs on High Sierra than on previous OSX releases.
Things ranging from UI glitches to freezing safari to random slowdowns - all
across multiple different machines.

Coupled with the security issues it’s clear that whoever is responsible for
Q&A these days is asleep at the wheel.

It’s the reliability of the hardware and software that brought me to Apple
back in the days of the G4.

Ironic that I may have to switch back to Windows since my work machine seems
less buggier than my Mac!

~~~
dingo_bat
Win 10 has its fair share of bugs, tbf. In fact win 10 feels like a Google
product that never leaves beta. There will always be glitches and weird stuff.
Some things have become very good over several iterations. But there are a ton
of new stuff they keep adding and all of those are half baked until the next
big release.

~~~
TazeTSchnitzel
The worst thing about Windows 10 is there’s a mandatory, automatic OS upgrade
every few months, which Microsoft pretend is simply an update. This can and
will break things every single time.

~~~
dingo_bat
That's actually something I like. It makes most users' PCs much more secure.
Also if absolutely required, OS upgrades can be deferred by up to a year.

------
dfischer
As serious as this is, it kind of makes me feel humbled in a way knowing I’ve
been through these exact situations and it happens to Apple too.

~~~
ryanlol
>As serious as this is

... So, not at all? It’s a LPE for gods sake. EDIT: Apparently it affects
remote desktop too, so not just a LPE.

Can this even be exploited from within the sandbox?

~~~
fra
Not just local. VNC and other remote protocols are vulnerable.

~~~
ryanlol
Ah, that's far more interesting. Do you know if SSH is affected?

~~~
LeoPanthera
SSH is not affected.

------
allenz
Summary: the root bug reappears when you upgrade your Mac. You need to
manually reinstall Apple's security patch _and_ reboot. There's no warning
that a reboot is necessary.

~~~
wasyl
Huh, and how do I reinstall the patch? Can't find a downloading link and app
store doesn't let me do anything with the update

Funny thing is that on the update site section steps in `To confirm that your
Mac has Security Update 2017-001` confirm that I have the update, but am still
vulnerable to the issue.

Do I understand correctly that setting root password is also valid workaround
for the issue?

------
pwdisswordfish2
Would a problem with something as fundamental as this happen with an open
source UNIX-like distribution and fail to be discovered or adequately fixed?

Would anyone feel compelled to _apologize_ for mentioning a mistake by an open
source project on Twitter?

The gentleman who tweeted about Apple's mistake actually apologized for it on
Medium. Crazy.

[https://medium.com/@lemiorhan/the-story-behind-anyone-can-
lo...](https://medium.com/@lemiorhan/the-story-behind-anyone-can-login-as-
root-tweet-33731b5ded71?source=user_profile---------1----------------)

Apple can claim it is "certified" as UNIX(TM). And publish the source for
userland code it copied from open source projects.

Microsoft is trying again to subsume "UNIX" into Windows allowing users to run
Linux binaries without running a Linux kernel.

But neither is a substitute for the original open source UNIX-like projects.

This blunder by Apple proves that even the wealthiest company on Earth does
not necessarily produce better "UNIX" than a group of unpaid volunteers. At
least if the user cares about the basics.

~~~
bartvk
> The gentleman who tweeted about Apple's mistake actually apologized for it
> on Medium

I read his statement but I don't see an apology there. It's a reply to people
who are saying he should've practiced responsible disclosure.

------
kzahel
I am still confused. I was prompted again today to install the security update
I installed yesterday. Did they silently release another improved security
update?

~~~
glhaynes
Yeah, the day after they put out the initial update (17B1002), they put out a
second update (17B1003) that fixed the file sharing issue caused by the first
one.

------
trhway
sounds like a typical extra-super-hyper-important-emergency effort under the
constant gaze from the very top through the thick E/S/VP/etc. layers of CYA
mediocrity eager to report up the successful completion of a glorious effort
to the glorious leader in a typical BigCo where engineering culture is
faltering while nobody who matters cares (or even able to care) Well, at least
it was that way back at Sun :) ... Or may be it was just a one bad day at
Apple. Though many people like to argue that engineering culture is exactly to
prevent the "bad" days from happening...

~~~
christophilus
Yup. That paired with what appears to be the lack of a decent test process.

Maybe 2018 is the year of the Linux desktop? ... one can dream...

~~~
_arvin
Linux desktop user here, I'm pretty happy so far to end 2017.

[https://i.imgur.com/yG3ep3M.jpg](https://i.imgur.com/yG3ep3M.jpg)

~~~
exikyut
Huh, they made GNOME look _good_ , I'm mildly surprised to admit. Not bad.

I have to admit that for a second there I thought you were running Bash on
Windows and the terminal was going through an X server. Ha

~~~
vladimir-y
There are many Linux distros these days with graphical installers, that look
great out of the box, etc.

------
aphextron
Looks like someone screwed up their cherry-pick

------
alphabettsy
It appears the problem is that the fixes included in the security updated were
not backported to 10.13.1 which caused a problem for users coming from 10.13.0
that had done the security update. Certainly a huge issue, but many commenters
seem to misunderstand the article.

------
smsm42
Everybody can have a bug. Even a bad one. In fact, virtually every system
_does_ have a doozy now and then. But recently with Apple it looks like they
are serving them constantly lately. Shame for this to happen to the company
that once could be pointed at as an example of somebody who gets how to make a
professional Unix-based desktop.

------
pfarnsworth
This is turning into a comedy of errors. They don't add regression tests to
their test suite? I'm a bit shocked that they're having so much trouble
releasing a patch properly.

------
JadeNB
Wow, so now they have this massive security bug, screwed up file sharing when
they fixed it, and now are apparently inadvertently rolling back the fix to
the initial massive security bug.

------
pmarreck
Classic "rushing to fix problem causing more problems" programmer error

~~~
twinkletwinkle
Now is better than never. Although never is often better than _right_ now.

~~~
contingencies
Prescription: additional sleep for security team, and non-negotiable
vulnerability regression tests for all releases.

------
exabrial
With all the pressure to produce novelty gimmicks, it's a little unsurprising
:/ and unfortunate, I'm a huge fan of osx. It's nice to have a commercially
supported unix system that also has a decent UI.

------
jacquesm
Not a good week for Apple. They were doing pretty good reputation wise when it
concerned security so far but this whole saga has been less than stellar.
Amazing that regression testing didn't catch this.

~~~
segmondy
There was no regression testing.

------
Karupan
Not regretting my decision to always be one major release behind. At this
point, I simply don’t trust Apple enough to install updates without breaking
my system and interrupting my work.

------
mephitix
For something as serious as the initial bug (especially given it was all over
the press) there should have been regression tests for this.

Either deployment was broken, the tests were broken, there weren't tests, or
multiple of the above :\ anyway I'm hypothesizing but would love to see a
post-mortem on this. How does a generally reliable company like Apple screw
this up twice?

------
ertemplin
Does Apple not require engineers to write regression tests? I really hope
there is a blog post or press release explaining what happened.

~~~
nixpulvis
lol, don't hold your breath.

------
ryanpcmcquen
Apple's security team is nailing this.

------
based2
[http://www.iphonehacks.com/2017/12/macos-10-13-2-beta-6-root...](http://www.iphonehacks.com/2017/12/macos-10-13-2-beta-6-root-
security-patch.html)

------
incadenza
Queue obligatory 'this wouldn't have happened under Jobs' posts.

~~~
CamperBob2
Well, it would only have happened once, that's for damned sure.

------
halayli
They’re playing Whac-a-mole

~~~
trhway
Mac-a-mole

------
nixpulvis
So my previous comment about how if Apple was smart they'd have a unit test
for this seems to be confirmed. Apple is not smart. RIP.

------
k3a
It happens. Most people don't care anyway. They will continue buying and stock
price will continue rising. ;)

------
foobar1962
Who remembers the System 7 Update 1.1.1?

~~~
mwcremer
I do.

Heck, I was responsible for the first crashing bug found in System 7.0. It was
found about six hours after GM images were released to manufacturing. It was a
crashing bug. _It was remotely exploitable._ It was one freakin' register, for
cryin' in your cornflakes.

~~~
yuhong
How it was remotely exploitable?

------
andy_ppp
I’ve not seen this mentioned anywhere but Apple installed the security update
without my permission which made me feel both sad and unsurprised that they
have effectively back doors that can run code on _my_ machine with impunity.

Will try for a Linux dev machine next time I think.

------
vladimir-y
Apple pushes those who have not yet moved to Linux to do so?

------
zerostar07
The saga continues

------
feelin_googley
One hesitates to comment on this sequence of events because it speaks for
itself. But here is a stupid user opinion (mine):

I believe users place too much trust in corporations such as Apple, Google or
Microsoft to protect them. There is too much debate over which company to
choose ("I like ___________'s approach to security") instead of questioning
whether delegating security to _any_ of them is truly the wisest course of
action.

I hope that this incident causes at least one user to question whether users
might benefit from adopting a less trusting and more vigilant approach to
protecting their data.

And by "vigilant" I do not mean "choosing the right tech companies to trust",
diligently installing updates from these corporations and feeling self-
satisfied.

I mean _questioning the status quo_ and thinking seriously about the benefits
of free, open source operating systems that are potentially reviewable by
millions of developers and users. Systems that can be modified, compiled and
installed easily by anyone, not only by small groups of people in corporations
with special knowledge. Systems that can, e.g., permit and maybe encourage
"safer", more conservative usage patterns.

Under the prevailing laws, I believe this pool of open source developers and
users will always contain a larger number of people who care more about
protecting user data than any groups within the above companies. It is a
matter of self-interest.

Apple is a company with seemingly infinite resources at its disposal. But
clearly in this case there were more people seriously interested in fixing
this vulnerability outside of the company than within it. And as a dumb, naive
user, I question anyone who would suggest that no one except a small group of
people at Apple would be competent to do this work.

IMO, this mistake had nothing to do with what makes Apple valuable, namely
their hardware. A UNIX-like OS running on Apple hardware does not need to be
proprietary and, IMO, users have a compelling interest for software, that can
expose their data and pose other security issues, to be open.

~~~
bsimpson
I'm always a bit skeptical of this argument as a rationale for FOSS.

Of course, publishing your source code does make it a lot easier for outsiders
to audit your software, but how many people actually do? Linux might be an
exception because so many organizations build drivers and distributions for it
(there are always people digging through the internals and likewise,
hackers/security consultants looking for opportunities), but I suspect for
most open source projects (even the big ones), there are way fewer people
auditing them than comments like this would lead you to believe.

How many people do you think are digging through and critically analyzing
Django/Node/Rails/Docker/OpenSSL/network drivers/etc? There's a mindblowing
amount of code behind any application, and as developers/users, we tend to
trust strength in numbers - people are using it, so it must be fine. But in
practice, I wonder how much the bystander effect counteracts this intuition.

~~~
Clubber
>publishing your source code does make it a lot easier for outsiders to audit
your software, but how many people actually do?

I would say very, very few people in the world read random source code looking
for bugs. Finding hidden bugs requires active use like a QA person would do.
This has probably already been done on any major FOSS software, so any
remaining bugs would be unbelievably hard to find, and very unlikely by just
reading source code.

I mean it sounds good as a theory, but it also sounds like, "If I publish my
book online for free, lots of people on the internet will read it."

~~~
gkop
You are both right. Having the code helps the kind of testing you’re talking
about. Also static analysis.

~~~
Clubber
>static analysis

Doesn't really change the equation though. That just allows people to _not_
read it faster using automation. :)

~~~
gkop
Sorry I ninja edited above. I see your point upon reflection - we’re talking
about other dimensions of open source (eg. popular and trusted), not the
availability of the code.

------
jordache
Oh! Well that solves the mystery of how Apple allowed their new USB-C MBPs to
be so buggy in trivial use cases.

