macOS High Sierra 10.13.1 Update Can Break the Root Password Security Patch, Here’s How to Fix it

Terminal showing Security Update 2017-001 installed on macOS High Sierra 10.13.1

Apple’s macOS High Sierra root password bug is pretty serious, and if you update to version 10.13.1 from 10.13 after installing the patch you may undo the the security fix. Here’s how to make sure you’re really protected from the bug.

The macOS High Sierra root password bug is a pretty serious security breach because it lets anyone log into your Mac as the root user without a password. When you’re logged in as root you have access to everything on the computer, can add and remove software without restrictions, and can delete user accounts.

Apple fixed the security flaw with the Security Update 2017-001 patch, but apparently hasn’t replaced its macOS High Sierra 10.13.1 updater to include it. The end result is if you install the patch while running macOS 10.13, and then update to 10.13.1, you can reintroduce the security flaw.

Here’s how to verify if the security patch is installed on your Mac after updating to macOS High Sierra 10.13.1:

  • Go to the Utilities folder in Applications and launch Terminal
  • Enter this command, them press Return: what /usr/libexec/opendirectoryd
  • If the security patch is installed Terminal will respond with opendirectoryd-483.20.7
Terminal showing Security Update 2017-001 installed on macOS High Sierra 10.13.1
Good news! Security Update 2017-001 is installed on my Mac.

If you see a lower number the security update isn’t in place. To reinstall Security Update 2017-001 in macOS High Sierra 10.13.1 go to Apple menu > Software Update and look to see if the updater is listed. If so, install it right away.

If you don’t see the security patch in Software Update, go to Apple’s webpage for the security update and download it from there. You’ll need to double-click the installer after downloading so it can patch macOS High Sierra for you.

4 thoughts on “macOS High Sierra 10.13.1 Update Can Break the Root Password Security Patch, Here’s How to Fix it

  • I normally don’t wish ill on anyone…but,
    The people in charge of OSs and Software need to have some very tense meetings.
    Someone from on high needs to land on the whole department with both feet. This kind of a FU is simply not acceptable. Certainly not for a company that prides itself on protecting customer data the way Apple does. If one of the programmers where I work blew it this bad they’d get their walking papers, and I work for a small company. It’s even worse for the OS of a major hardware company like Apple. If it happened because they were getting pressure to ship and were forced to cut corners, that has to stop today. The software people have to have final say on when their product ships and they need to have the authority and processes in place to make it so. As I said last week, the best hardware in the world is useless if the software is bad.

  • Apple fixed the security flaw with the Security Update 2017-001 patch, but apparently hasn’t replaced its macOS High Sierra 10.13.1 updater to include it. The end result is if you install the patch while running macOS 10.13, and then update to 10.13.1, you can reintroduce the security flaw.

    Jeff:

    As I’m sure you’re aware, this is a pretty serious assertion. Is this merely cautionary speculation, or do we know that Apple have definitely not incorporated the security patch into the OS update?

    If it’s the latter, then this would qualify as SUSFU.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.