Skip to main content
Jamf Nation, hosted by Jamf, is the largest Apple IT management community in the world. Dialog with your fellow IT professionals, gain insight about Apple device deployments, share best practices and bounce ideas off each other. Join the conversation.

Report to see who has installed today’s fix for the root vulnerability?

What’s the best way to do this. Apple pushed out the fix just now. How can I tell which of my Macs has installed it?

Like Comment
Order by:
SOLVED Posted: 11/29/17 at 10:30 AM by irobinso

Assuming that your Macs have submitted inventory, you can look for High Sierra build 17B1002.

Source: https://support.apple.com/en-us/HT208315

Like
SOLVED Posted: 11/29/17 at 10:36 AM by john.sherrod

Thanks!

Like
SOLVED Posted: 11/29/17 at 10:58 AM by isterling.goaaa

@irobinso Thanks for that information. Fortunately, none of our macs are running that build yet.

Does anybody know how to disable the App Store so that my users don't accidentally install this update?

Like
SOLVED Posted: 11/29/17 at 11:02 AM by mm2270

@isterling.goaaa Say what?? Why would you not want to have this update installed? It fixes a major security issue in 10.13.x that allows trivial access to the root account. Not understanding. :-/

Like
SOLVED Posted: 11/29/17 at 11:04 AM by prodservices

Just make the High Sierra installer restricted software if your clients are not @ 10.13.x yet. Don't disable the App Store.

Like
SOLVED Posted: 11/29/17 at 11:06 AM by prodservices

@mm2270 I think @isterling.goaaa meant none of his clients are running High Sierra yet, or at least that's how I interpreted it.

Like
SOLVED Posted: 11/29/17 at 11:11 AM by DylanMurphy

I have 23 computers running the exploitable version. Im just waiting for Apple to publish the PKG file so i can push it via a policy.

Like
SOLVED Posted: 11/29/17 at 11:18 AM by isterling.goaaa

Maybe I misunderstood... It's build 17B1002 that is affected, yes? If so, why would I want to install a security update that opens a great big hole on my systems? Currently, none of us running 17B48 in my office (there are four of us out of 120 deployed machines running High Sierra) seem to be affected by this issue ... or at least we're unable to replicate it.

Like
SOLVED Posted: 11/29/17 at 11:20 AM by irobinso

@isterling.goaaa , 17B1002 fixes an issue that is present in all High Sierra versions before it, it doesn't introduce the issue.

Like
SOLVED Posted: 11/29/17 at 11:20 AM by mm2270

See the post here for the downloadable package.

It shows up in the App Store on a 10.13.1 system, but it shows up rather strangely in the softwareupdate command line.

Like
SOLVED Posted: 11/29/17 at 11:23 AM by isterling.goaaa

@irobinso ok, thanks for the clarification. I'll grab it and push it out.

Like
SOLVED Posted: 11/29/17 at 11:27 AM by geekyink
Like
SOLVED Posted: 11/29/17 at 11:31 AM by DylanMurphy

@geekyink wrong OS... published back on Oct 31 2017

Like
SOLVED Posted: 11/29/17 at 11:35 AM by geekyink

@DylanMurphy There goes Apple naming updater .pkg's the same again.... https://support.apple.com/en-us/HT208315

Like
SOLVED Posted: 11/29/17 at 11:43 AM by DylanMurphy

@geekyink yeah, i downloaded that package and pushed it to my test computer. When it failed it realized that it was the wrong package because it complained about needing OS 10.12. Very annoying!

Like
SOLVED Posted: 11/29/17 at 11:46 AM by timlarsen

And..... for once the Security Update DOESN'T REQUIRE A REBOOT!!!!! Yay!

Like
SOLVED Posted: 11/29/17 at 11:57 AM by cashman.tech

@geekyink & @DylanMurphy - Does anyone have the .pkg file to push or have another work around then?

Like
SOLVED Posted: 11/29/17 at 12:10 PM by DylanMurphy

@cashman.tech Not yet. i'm still waiting for the Apple official version. i found this but i'm not sure how much i trust it. https://twitter.com/_inside/status/935910171888508929

Like
SOLVED Posted: 11/29/17 at 12:11 PM by isterling.goaaa

I downloaded the 10.13.1 Supplimental update in dmg format and was unable to install it locally onto my machine either by policy or just simply running the package. Any suggestions?

Like
SOLVED Posted: 11/29/17 at 12:12 PM by mm2270

@cashman.tech Use this link
It's a direct download from Apple's swcdn, not from an article on their site, but it's the real thing, as the certificate verifies it's from Apple

The best thing would be for Apple to publish it as a standalone download from a posting on their support site. I don't see one out there yet, but hopefully they will do that soon.

Like
SOLVED Posted: 11/29/17 at 12:19 PM by DylanMurphy

@mm2270 Awesome!! how did you see the certificate?

Like
SOLVED Posted: 11/29/17 at 12:20 PM by isterling.goaaa

I found the DMG of the supplemental update here, but the .pkg file within didn't want to run on my mac.

Like
SOLVED Posted: 11/29/17 at 12:30 PM by mm2270

@DylanMurphy When you get the pkg install, double click it to open it in Installer.app. Before clicking any buttons, there's a lock icon in the upper right hand corner of the Installer window. Click that to see the certificate chain.

Like
SOLVED Posted: 11/29/17 at 12:50 PM by DylanMurphy

@mm2270 perfect thanks! @isterling.goaaa im getting the same error when trying to push via JSS

Like
SOLVED Posted: 11/29/17 at 12:55 PM by emily

FWIW, it looks like the the receipt for the update is com.apple.pkg.update.os.10.13.1Supplemental.17B1002.

For those looking for reporting around it being installed, you can use that receipt for a smart group. Probably need to give machines time to check in for inventory to get a real idea, though.

Like
SOLVED Posted: 11/29/17 at 1:34 PM by timlarsen

For anyone looking for standalone, it's there, but takes some digging (as in, it's not featured): https://support.apple.com/kb/DL1942?viewlocale=en_US&locale=en_US

Like
SOLVED Posted: 11/30/17 at 1:33 AM by donmontalvo

FWIW, a 2017 MacBook Touch ID model laptop is showing 17B1003, in case anyone is using build number to determine if the fix is applied.

Like
SOLVED Posted: 11/30/17 at 5:54 AM by rich.thomas

Has it broken the ability to create an admin account for anyone else?

Like
SOLVED Posted: 11/30/17 at 6:26 AM by adhuston

Yep, it's broken for me as well:

Like
SOLVED Posted: 11/30/17 at 7:37 AM by jhalvorson

Agree, since installing the second release of the Security Update 2017-001, which results in 10.13.1 build 17B1003, our local admin account can not create standard or admin accounts via System Preferences >> Users & Groups.
Also fails when logging in with a mobile (AD) Admin account and trying the same steps to create an account.

Both types of accounts can be successfully added using Casper Remote (9.101.0).

Like
SOLVED Posted: 11/30/17 at 7:46 AM by grahamrpugh

FWIW I am able to create a new admin account after the patch.

Like
SOLVED Posted: 11/30/17 at 7:50 AM by PhillyPhoto

@donmontalvo How come I can never see the build number in my "About This Mac" windows?

@rich.thomas I can't create an admin user through the System Preferences either, but I was able to login with an LDAP account that's in the admin group and it made the account an admin. So it appears to be just something with the GUI.

What are people installing to get 17B1003? I've re-downloaded 2017-001 for 10.13.1 and it still installs 17B1002. The other 2017-001 update only works for 10.13.0 it appears.

Like
SOLVED Posted: 11/30/17 at 7:55 AM by grahamrpugh

@PhillyPhoto you have to click your mouse on the Version number to see the Build number.

Like
SOLVED Posted: 11/30/17 at 8:01 AM by PhillyPhoto

@grahamrpugh I learned something new today!

On a side note, the App Store update brings it to 17B1003, but not the dmg download.

Like
SOLVED Posted: 11/30/17 at 8:07 AM by irobinso

To those having issues creating admin accounts (@rich.thomas, @PhillyPhoto, @adhuston), I had the same issue at first but it worked normally after a reboot. Have you tried that already?

Like
SOLVED Posted: 11/30/17 at 8:22 AM by tranatisoc

It does appear this update required a reboot afterall for the create new accounts to work.

Like
SOLVED Posted: 11/30/17 at 8:23 AM by PhillyPhoto

@irobinso The reboot worked for me.

Like
SOLVED Posted: 11/30/17 at 8:34 AM by emily

The receipt for the second update is com.apple.pkg.update.os.10.13.1Supplemental.17B1003. I'm not sure if there is a separate update for 10.13 (meaning, if the update installer is unique to 10.13 with a unique receipt name) as I haven't seen a 10.13.0 machine with any comparable receipt listed so far. If someone has a 10.13.0 machine that has gotten a security update and wants to share the receipt name I'm sure that'd help folks out.

Like
SOLVED Posted: 11/30/17 at 8:35 AM by adhuston

From what I can see on my 10.13.0 machines the receipt is com.apple.pkg.update.os.10.13Supplemental.17A501.

Like
SOLVED Posted: 11/30/17 at 9:51 AM by mm2270

Not sure if it's been mentioned elsewhere already, but in case not, the 10.13.x patch (Build 17B1003 for 10.13.1, Build 17A501 for 10.13.0) can be downloaded from here https://support.apple.com/kb/DL1943?viewlocale=en_US&locale=en_US

The pkg itself is labeled "macOSUpd10.13Supplemental.pkg" as opposed to yesterday's earlier version which was "macOSUpd10.13.1Supplemental.pkg"

I'll be testing it out shortly on some 10.13.x systems.

Like
SOLVED Posted: 11/30/17 at 10:25 AM by PhillyPhoto

@mm2270 When I run that second package on a 10.13.1 device with 17B1002, I get the following error:

This package runs fine on 10.13.0 but doesn't change the build version at all. It does appear to change the opendirectyd utility as described here: https://support.apple.com/en-gb/HT208315.

I've created an EA (see below) based on the above link to check the version number of opendirectoryd since the inventory doesn't collect this information. I have created a FR for this though.

#!/bin/sh
# note: the " " before PROGRAM below is a tab, not a space.
VERSION=`what /usr/libexec/opendirectoryd | grep " PROGRAM" | awk '{print $2}' | sed 's/PROJECT:opendirectoryd-//g'`

echo "<result>$VERSION</result>"
Like
SOLVED Posted: 11/30/17 at 10:33 AM by emily

If you've noticed that you are unable to add admin accounts after this update without a reboot, and you have some kind of support agreement with Apple, or want to file a RADAR, please do. This seems to be news to them based on our interactions and I think more customers reporting the issue will help them get it on their… radar?

Like
SOLVED Posted: 11/30/17 at 10:33 AM by lpadmin

So I run the update software policy on a 10.13.1 computer and it updated the computer to build 17B1003. Then had the policy run a couple more times and it acts like the computer is up to date. From what I understand 17B1003 should fix the root issue. But I can still use root sans password to unlock admin rights. Am I missing something here?

Here is a link to my video.

https://photos.app.goo.gl/TloVSLBHkr2vZIXy2

Like
SOLVED Posted: 11/30/17 at 10:59 AM by alexjdale

@lpadmin, if you tried out the bug previously, I think it enabled root with a blank password. I don't think the update addresses that, just the bug that allowed it to happen. So you might be testing it now and it works because the root account is active, not because of the escalation bug.

Like
SOLVED Posted: 11/30/17 at 11:10 AM by PhillyPhoto

@alexjdale The article for the fix implies the opposite:

"If you require the root user account on your Mac, you will need to re-enable the root user and change the root user's password after this update."

Like
SOLVED Posted: 11/30/17 at 11:14 AM by alexjdale

Ah yeah, you are right about that. I'd consider that to be a problem then, but we're pushing root password changes because this can't happen again, ever. Or else it's shame on me.

Like
SOLVED Posted: 11/30/17 at 11:25 AM by mm2270

@PhillyPhoto Thanks for the follow up. It looks like I was mistaken. The "10.13Supplemental" patch seems to be ONLY for 10.13.0 systems and yesterday's "10.13.1Supplemental" is ONLY for 10.13.1 systems, just as the names actually imply. I was under the impression the 10.13 one would work for both, but it does not. I just tried installing it on an un-patched 10.13.1 machine and I get the same error.
Running yesterday's 10.13.1Supplemental patch on it works though.

It updated the Build on my 10.13.1 test Mac to 17B1002. I have to see if I have a 10.13.0 machine I can access to run the patch against to see how the build reflects afterward.

I don't know why Apple wasn't able to issue a single patch to handle both versions of the OS, but oh well. I get the distinct impression this entire thing was seriously rushed out the door.

Like
SOLVED Posted: 11/30/17 at 12:20 PM by chris.kemp

Happening to me too...<expletive expletive>!!

I've filed a ticket with Enterprise Support to add our names to the list...

Like
SOLVED Posted: 11/30/17 at 12:38 PM by chris.kemp

UPDATE - Support got back to me right away, saying 1. they're tracking the issue, and 2. You can fix it by rebooting.

Like
SOLVED Posted: 11/30/17 at 12:49 PM by mm2270

Yeah, I can confirm that a reboot is needed to get back the ability to create admin accounts in the GUI. I just get a System Preferences error and it exits out of Sys Prefs otherwise. It's only a GUI issue though. You can still create an admin user using sysadminctl FWIW.

Like
SOLVED Posted: 12/1/17 at 9:10 AM by cddwyer

This will check it for sure:

#!/bin/bash
openDV=$(what /usr/libexec/opendirectoryd)
isRUI=$(echo $openDV | grep -c 'opendirectoryd-483.1.5')
isRUIP1=$(echo $openDV | grep -c 'opendirectoryd-483.20.7')
if [[ $isRUI -gt 0 ]]; then
    echo "Root security update IS installed"
elif [[ $isRUIP1 -gt 0 ]]; then
    echo "Root update IS installed"
else
    echo "Root update missing, please update immediately!"
fi

exit 0

Hope that helps.

Like