Updating macOS can bring back the nasty “root” security bug

Enlarge (credit: Andrew Cunningham)

The serious and surprising root security bug in macOS High Sierra is back for some users, shortly after Apple declared it fixed. Users who had not installed macOS 10.13.1 (and thus were running a prior version of the OS when they received the security update) found that installing 10.13.1 resurfaced the bug, according to a report from Wired.

For these users, the security update can be installed again (in fact, it would be automatically installed at some point) after updating to the new version of the operating system. However, the bug is not fixed in that case until the user reboots the computer. Many users do not reboot their computers for days or even weeks at a time, and Apple’s support documentation did not, at first, inform users that they needed to reboot. So some people may have been left vulnerable without realizing it. The documentation has been updated with the reboot step now.

The root bug allows anyone to log in or authenticate as a system administrator on systems running macOS High Sierra. In many circumstances, all they need to do is simply type in the username “root” and leave the password field blank, . The bug was so serious that it drew an uncharacteristically strong apology from Apple, which said its “customers deserve better.”