Users who patch bug, then upgrade to 10.13.1, can expect it to reoccur.
Apple’s patch to address a serious password bug on macOS High Sierra may not have fixed the original problem, with the flaw reappearing for some users.
The tech giant intended to plug a hole in High Sierra version 10.13 that would allow anyone with physical access, or remote access through a software client, to bypass security screens and grant themselves admin privileges, simply by typinig in “root” as their username and leaving the password field blank.
Apple issued the patch almost immediately last week, but once updated, users began to notice they could no longer authorise their connections to their file-sharing client, which is used by both personal and business users.
Unfortunately, it now appears that the order in which users apply the patches may cause the original password exploit to return, according to Wired. Users who had not yet upgraded their systems to the latest High Sierra 10.13.1 build, but had downloaded and applied Apple’s security patch, told Wired that the “root” bug resurfaces when they install the newest OS system.
Even if some users reinstall the security patch after upgrading, there are many other users who will be unaware of the issue and are left open to the vulnerability, Thomas Reed, a researcher at Malwarebytes, told the publication.
“I installed the update again from the App Store, and verified that I could still trigger the bug. That is bad, bad bad,” said Reed. “Anyone who hasn’t yet updated to 10.13.1, they’re now in the pipeline headed straight for this issue.”
It’s not exactly clear how many users have been affected by this particular bug, as there’s no data on how many people installed the patch prior to upgrading to the latest version of High Sierra.
Aside from being forced to apologise to users over the password bug, Apple has also faced criticism after malicious code was discovered hiding on the High Sierra OS shortly after its launch, thought to be capable of stealing the contents of a user’s keychain without a password.