Addressing macOS High Sierra Vulnerability

Thanks Jake!

Are you doing anything to force this update?

From apple's official comments spreading, it also sounds like they're going to be forcing this update.

When our security engineers became aware of the issue Tuesday afternoon, we immediately began working on an update that closes the security hole. This morning, as of 8 a.m., the update is available for download, and starting later today it will be automatically installed on all systems running the latest version (10.13.1) of macOS High Sierra.

Also of note, if you see issues mounting SMB shares after applying this gem, you may need to run this fix:

Repair file sharing after Security Update 2017-001 for macOS High Sierra 10.13.1

sudo /usr/libexec/configureLocalKDC

Just discovered this as well:

After applying the patch and sudo /usr/libexec/configureLocalKDC command, I am unable to create a new user from admin acct. This is on two different Macs running 10.13.1. Have to check what else seems busted now...

Awesome post @jake, thanks!

"starting later today it will be automatically installed on all systems running the latest version (10.13.1) of macOS High Sierra."

does this mean apple will automatically apply it or does the end user have to install updates?

Is it easier in JAMF to apply the patch or just disable root or change root password?

Yep it means that apple forced it upon your machines.. and then re-force dit when they had a 2nd patch to fix an error on the first patch. It also includes 10.13 machines.

Beta's are still unpatched... which goes without saying don't run a beta in production ;)

at this point i don't feel you'd have to do anything in jamf

Seems the beta feeds are down anyway. So much for testing provisioning today!

Not sure build number is the right way to go..Apple article HT208315 says to use "project version" of opendirectoryd (what /usr/libexec/opendirectoryd), so we set up an EA to pull the version and go from there:

#!/bin/sh

odVersion=$( what /usr/libexec/opendirectoryd | awk '{ print $2 }' | cut -f2 -d "-" | tr -d "
" )

echo "<result>${odVersion}</result>"

This EA will also work as a very temporary solution until Apple releases a new version. The above EA from @donmontalvo is much better. I was just playing around with this EA and it more or less does the job.

#!/bin/sh

# If Security Update 2017-001 was installed successfully, you will see one of these project version numbers:
# opendirectoryd-483.1.5 on macOS High Sierra 10.13
# opendirectoryd-483.20.7 on macOS High Sierra 10.13.1
# https://support.apple.com/en-us/HT208315
# Get the version
version=$(what /usr/libexec/opendirectoryd | grep PROJECT | cut -d: -f3)
if [[ "$version" == opendirectoryd-483.20.7 ]] || [[ opendirectoryd-483.1.5 ]]
then
echo "<result>Compliant</result>"
else
echo "<result>Not Compliant</result>"
fi

Sorry for my ignorance, but where do I go to find the results?

Also- how do I customize this EA to find out if Security Update 2017-002 has been updated on Sierra OS's? We currently don't have users using High Sierra yet.

Ideally, I would like to be able to force this update on everybody.

https://support.apple.com/en-us/HT208331

A

@ryan.er - I saw this on Slack today regarding this.
Not my setup, but one that was shown as being used.

does not have com.apple.pkg.update.os.SecUpd2017-002Sierra.16G1114 and/or does not have com.apple.pkg.update.os.SecUpd2017-005ElCapitan.15G18013