The security fix was rolled back when users
updated to macOS 10.13.1.
The serious and surprising root security bug in macOS High Sierra is back for some users, shortly after Apple declared it fixed. Users who had not installed macOS 10.13.1 and thus were running a prior version of the OS when they received the security update, found that installing 10.13.1 resurfaced the bug, according to a report from Wired.
For these users, the security update can be installed again (in fact, it would be automatically installed at some point) after updating to the new version of the operating system. However, the bug is not fixed in that case until the user reboots the computer. Many users do not reboot their computers for days or even weeks at a time, and Apple’s support documentation did not at first inform users that they needed to reboot, so some people may have been left vulnerable without realizing it. The documentation been updated with the reboot step now.
The root bug allows anyone to log in or authenticate as a system administrator on systems running macOS High Sierra by simply typing in the username “root” and leaving the password field blank, in many circumstances. It was a serious bug that drew an uncharacteristically strong apology from Apple, which said its “customers deserve better.”
After the bug got widespread attention on Twitter and in the press, Apple moved quickly to fix it with security update Security Update 2017-001. It was quickly discovered that the security update broke file sharing functionality for some users. Apple in turn released a new version of the security update that addressed that issue. Now, within a few days, this additional wrinkle has been discovered.