A software fix Apple released to close a serious Mac security bug may not have fixed the problem on some machines.
The bug meant anyone with physical access to a Mac running High Sierra could get admin access to the machine.
Wired magazine has found that the bug returns if Mac owners upgrade to the latest version of Sierra after applying the patch.
Apple issued an apology for the appearance of the bug saying its users “deserved better”.
The bug let anyone obtain high-level access to a Mac simply by typing the username “root” and leaving the password field blank.
The problem was present on Mac computers running version 10.13. and 10.13.1 of the latest version of Apple’s operating system known as High Sierra.
Apple produced a patch to close the loophole less than a day after it was first reported.
Now it has emerged that the order in which people installed updates and patches for their Mac can mean the problem is not fixed.
The bug would still be present on a Mac that:
- was running High Sierra 10.13
- applied the security patch
- upgraded to High Sierra 10.13.1
- had not been rebooted
“You could easily have someone who doesn’t reboot their computer for months,” Thomas Reed, a security researcher at Malwarebytes, told Wired. “That’s not a good thing.”
Writing in Wired, Andy Greenberg said it was “not clear” how many users might be exposed by this particular set of circumstances.
Apple has yet to respond to a request for comment about the circumstances under which the root bug would reappear.
However, Apple’s support page about the loophole stresses the importance of making sure that the security patch is “applied properly”.