A couple of days ago I posted on the #iamroot vulnerability, well it’s now been fixed by Apple (yay!), but this then broke something else (boo!).
See below for a round up & some more detail on the above.
Contents
What happened?
If you’ve been under a rock, please see my note on the #iamroot vulnerability.
There is also a MacAdm Podcast episode on this vulnerability too.
What really happened?
The fine folks over at Objective-See have a great breakdown of what really seems to have happened.
Mitigation
As mentioned in my note on the #iamroot vulnerability, Rich Trouton has a post to mitigate this vulnerability.
Update
Apple released 2017-001 to address the issue the #iamroot vulnerability, & Apple hit the “critical” button on to push to devices.
Fix Attempt 1
The “original” update applied to 10.13.1 & changed the build number to 17B1002.
File Sharing, whoops
This original fix, however, seems to have broken file sharing for some as per the following article: https://support.apple.com/en-us/HT208317
Fix Attempt 2
As per the above, Apple re-released 2017-001 with an update KB: https://support.apple.com/en-gb/HT208315
This changes 10.13.1’s build number to 17B1003.
Confirmation
Apple have some details at the bottom of https://support.apple.com/en-gb/HT208315 advising how to check to see if a device has received the patch:
To confirm that your Mac has Security Update 2017-001:
1. Open the Terminal app, which is in the Utilities folder of your Applications folder.
2. Type what /usr/libexec/opendirectoryd
and press Return. 3. If Security Update 2017-001 was installed successfully, you will see one of these project version numbers: opendirectoryd-483.1.5 on macOS High Sierra 10.13 opendirectoryd-483.20.7 on macOS High Sierra 10.13.1
Detection
Further to the above, as the build numbers have changed, something like the following: https://macmule.com/2015/03/11/security-update-2015-002-mach_kernel-file-visibility/ could be employed check the devices state in regards to the above updates.
- 17B1002: 10.13.1 “original update” has been installed, & therefore might have an issue with file sharing needing the following to be applied: https://support.apple.com/en-us/HT208317
- 17B1003: 10.13.1 “re-issued update” has been installed & so no further action needed.
Postinstall Actions
2017-001 disables the root account, so if you’re enabling this (why?), you’ll need to re-enable the account after the update: https://support.apple.com/en-us/HT204012