#imaroot – it’s fixed, somethings broken, fixed that now too

Standard

A couple of days ago I posted on the #iamroot vulnerability, well it’s now been fixed by Apple (yay!), but this then broke something else (boo!).

See below for a round up & some more detail on the above.

What happened?

If you’ve been under a rock, please see my note on the #iamroot vulnerability.

There is also a MacAdm Podcast episode on this vulnerability too.

What really happened?

The fine folks over at Objective-See have a great breakdown of what really seems to have happened.

Mitigation

As mentioned in my note on the #iamroot vulnerability, Rich Trouton has a post to mitigate this vulnerability.

Update

Apple released 2017-001 to address the issue the #iamroot vulnerability, & Apple hit the “critical” button on to push to devices.

Fix Attempt 1

The “original” update applied to 10.13.1 & changed the build number to 17B1002.

File Sharing, whoops

This original fix, however, seems to have broken file sharing for some as per the following article: https://support.apple.com/en-us/HT208317

Fix Attempt 2

As per the above, Apple re-released 2017-001 with an update KB: https://support.apple.com/en-gb/HT208315

This changes 10.13.1’s build number to 17B1003.

Confirmation

Apple have some details at the bottom of https://support.apple.com/en-gb/HT208315 advising how to check to see if a device has received the patch:

To confirm that your Mac has Security Update 2017-001:
1. Open the Terminal app, which is in the Utilities folder of your Applications folder.
2. Type what /usr/libexec/opendirectoryd and press Return. 3. If Security Update 2017-001 was installed successfully, you will see one of these project version numbers: opendirectoryd-483.1.5 on macOS High Sierra 10.13 opendirectoryd-483.20.7 on macOS High Sierra 10.13.1

Detection

Further to the above, as the build numbers have changed, something like the following: https://macmule.com/2015/03/11/security-update-2015-002-mach_kernel-file-visibility/ could be employed check the devices state in regards to the above updates.

  • 17B1002: 10.13.1 “original update” has been installed, & therefore might have an issue with file sharing needing the following to be applied: https://support.apple.com/en-us/HT208317
  • 17B1003: 10.13.1 “re-issued update” has been installed & so no further action needed.

Postinstall Actions

2017-001 disables the root account, so if you’re enabling this (why?), you’ll need to re-enable the account after the update: https://support.apple.com/en-us/HT204012

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.