Report to see who has installed today’s fix for the root vulnerability?

john_sherrod
Contributor II

What’s the best way to do this. Apple pushed out the fix just now. How can I tell which of my Macs has installed it?

51 REPLIES 51

irobinso
New Contributor III

Assuming that your Macs have submitted inventory, you can look for High Sierra build 17B1002.

Source: https://support.apple.com/en-us/HT208315

john_sherrod
Contributor II

Thanks!

isterling_goaaa
New Contributor III

@irobinso Thanks for that information. Fortunately, none of our macs are running that build yet.

Does anybody know how to disable the App Store so that my users don't accidentally install this update?

mm2270
Legendary Contributor III

@isterling.goaaa Say what?? Why would you not want to have this update installed? It fixes a major security issue in 10.13.x that allows trivial access to the root account. Not understanding. :-/

prodservices
New Contributor III

Just make the High Sierra installer restricted software if your clients are not @ 10.13.x yet. Don't disable the App Store.

prodservices
New Contributor III

@mm2270 I think @isterling.goaaa meant none of his clients are running High Sierra yet, or at least that's how I interpreted it.

Dylan_YYC
Contributor III

I have 23 computers running the exploitable version. Im just waiting for Apple to publish the PKG file so i can push it via a policy.

isterling_goaaa
New Contributor III

Maybe I misunderstood... It's build 17B1002 that is affected, yes? If so, why would I want to install a security update that opens a great big hole on my systems? Currently, none of us running 17B48 in my office (there are four of us out of 120 deployed machines running High Sierra) seem to be affected by this issue ... or at least we're unable to replicate it.

irobinso
New Contributor III

@isterling.goaaa , 17B1002 fixes an issue that is present in all High Sierra versions before it, it doesn't introduce the issue.

mm2270
Legendary Contributor III

See the post here for the downloadable package.

It shows up in the App Store on a 10.13.1 system, but it shows up rather strangely in the softwareupdate command line.

isterling_goaaa
New Contributor III

@irobinso ok, thanks for the clarification. I'll grab it and push it out.

geekyink
New Contributor II

Dylan_YYC
Contributor III

@geekyink wrong OS... published back on Oct 31 2017

geekyink
New Contributor II

@DylanMurphy There goes Apple naming updater .pkg's the same again.... https://support.apple.com/en-us/HT208315

Dylan_YYC
Contributor III

@geekyink yeah, i downloaded that package and pushed it to my test computer. When it failed it realized that it was the wrong package because it complained about needing OS 10.12. Very annoying!

timlarsen
Contributor

And..... for once the Security Update DOESN'T REQUIRE A REBOOT!!!!! Yay!

cashman
New Contributor II

@geekyink & @DylanMurphy - Does anyone have the .pkg file to push or have another work around then?

Dylan_YYC
Contributor III

@cashman.tech Not yet. i'm still waiting for the Apple official version. i found this but i'm not sure how much i trust it. https://twitter.com/_inside/status/935910171888508929

isterling_goaaa
New Contributor III

I downloaded the 10.13.1 Supplimental update in dmg format and was unable to install it locally onto my machine either by policy or just simply running the package. Any suggestions?

mm2270
Legendary Contributor III

@cashman.tech Use this link
It's a direct download from Apple's swcdn, not from an article on their site, but it's the real thing, as the certificate verifies it's from Apple

06d2201fd89243e1b69353c8a865b233

The best thing would be for Apple to publish it as a standalone download from a posting on their support site. I don't see one out there yet, but hopefully they will do that soon.

Dylan_YYC
Contributor III

@mm2270 Awesome!! how did you see the certificate?

isterling_goaaa
New Contributor III

I found the DMG of the supplemental update here, but the .pkg file within didn't want to run on my mac.

mm2270
Legendary Contributor III

@DylanMurphy When you get the pkg install, double click it to open it in Installer.app. Before clicking any buttons, there's a lock icon in the upper right hand corner of the Installer window. Click that to see the certificate chain.

Dylan_YYC
Contributor III

@mm2270 perfect thanks! @isterling.goaaa im getting the same error when trying to push via JSS

emily
Valued Contributor III
Valued Contributor III

FWIW, it looks like the the receipt for the update is com.apple.pkg.update.os.10.13.1Supplemental.17B1002.

For those looking for reporting around it being installed, you can use that receipt for a smart group. Probably need to give machines time to check in for inventory to get a real idea, though.

timlarsen
Contributor

For anyone looking for standalone, it's there, but takes some digging (as in, it's not featured): https://support.apple.com/kb/DL1942?viewlocale=en_US&locale=en_US

donmontalvo
Esteemed Contributor III

FWIW, a 2017 MacBook Touch ID model laptop is showing 17B1003, in case anyone is using build number to determine if the fix is applied.

702971f2c11148e2a7151f289278b341

--
https://donmontalvo.com

rich_thomas
New Contributor III

Has it broken the ability to create an admin account for anyone else?

adhuston
Contributor

Yep, it's broken for me as well:
b8cc990fa4d04006bf770e6f64de75b5

jhalvorson
Valued Contributor

Agree, since installing the second release of the Security Update 2017-001, which results in 10.13.1 build 17B1003, our local admin account can not create standard or admin accounts via System Preferences >> Users & Groups.
Also fails when logging in with a mobile (AD) Admin account and trying the same steps to create an account.

Both types of accounts can be successfully added using Casper Remote (9.101.0).

grahamrpugh
Release Candidate Programs Tester

FWIW I am able to create a new admin account after the patch.

PhillyPhoto
Valued Contributor

@donmontalvo How come I can never see the build number in my "About This Mac" windows?

2dccc006a9474fbca2773d6428a1a5e2

@rich.thomas I can't create an admin user through the System Preferences either, but I was able to login with an LDAP account that's in the admin group and it made the account an admin. So it appears to be just something with the GUI.

dec650ec658c4517b02ab9a57fb12d29

What are people installing to get 17B1003? I've re-downloaded 2017-001 for 10.13.1 and it still installs 17B1002. The other 2017-001 update only works for 10.13.0 it appears.

grahamrpugh
Release Candidate Programs Tester

@PhillyPhoto you have to click your mouse on the Version number to see the Build number.

PhillyPhoto
Valued Contributor

@grahamrpugh I learned something new today!

On a side note, the App Store update brings it to 17B1003, but not the dmg download.

irobinso
New Contributor III

To those having issues creating admin accounts (@rich.thomas, @PhillyPhoto, @adhuston), I had the same issue at first but it worked normally after a reboot. Have you tried that already?

tranatisoc
New Contributor II

It does appear this update required a reboot afterall for the create new accounts to work.

PhillyPhoto
Valued Contributor

@irobinso The reboot worked for me.

emily
Valued Contributor III
Valued Contributor III

The receipt for the second update is com.apple.pkg.update.os.10.13.1Supplemental.17B1003. I'm not sure if there is a separate update for 10.13 (meaning, if the update installer is unique to 10.13 with a unique receipt name) as I haven't seen a 10.13.0 machine with any comparable receipt listed so far. If someone has a 10.13.0 machine that has gotten a security update and wants to share the receipt name I'm sure that'd help folks out.

adhuston
Contributor

From what I can see on my 10.13.0 machines the receipt is com.apple.pkg.update.os.10.13Supplemental.17A501.