When a company like Apple rushes out a software patch for a critical security bug, it deserves praise for protecting its customers quickly. Except, perhaps, when that patch is so rushed that it's nearly as buggy as the code it was designed to fix.

Earlier this week, Apple scrambled to push out a software update for macOS High Sierra, to sew up a glaring hole in the operating system's security measures: When any person or malicious program tried to log into a Mac computer, install software, or change settings, and thus hit a prompt for a username and password, they could simply enter "root" as a username, no password, and bypass the prompt to gain full access to the computer. Apple's initial patch came out about a 18 hours after the bug was first reported.

But now multiple Mac users have confirmed to WIRED that Apple's fix for that problem has a serious glitch of its own. Those who had not yet upgraded their operating system from the original version of High Sierra, 10.13.0, to the most recent version, 10.13.1, but had downloaded the patch, say the "root" bug reappears when they install the most recent macOS system update. And worse, two of those Mac users say they've also tried re-installing Apple's security patch after that upgrade, only to find that the "root" problem still persists until they reboot their computer, with no warning that a reboot is necessary.

"It’s really serious, because everyone said 'hey, Apple made a very fast update to this problem, hooray,'" says Volker Chartier, a software engineer at German energy firm Innogy who was the first to alert WIRED to the issue with Apple's patch. "But as soon as you update [to 10.13.1], it comes back again and no one knows it."

'That is bad, bad, bad.' Thomas Reed, Malwarebytes

Even if a Mac user knew to reinstall the security patch after they upgraded High Sierra—and in fact, Apple would eventually install that update automatically, as it has for other users affected by the "root" bug—they could still be left vulnerable, says Thomas Reed, an Apple-focused researcher at security firm MalwareBytes. After Reed confirmed that 10.13.1 reopened the "root" bug, he again installed Apple's security fix for the problem. But he found that, until he rebooted, he could even then type "root" without a password to entirely bypass High Sierra's security protections.

"I installed the update again from the App Store, and verified that I could still trigger the bug. That is bad, bad, bad," says Reed. "Anyone who hasn't yet updated to 10.13.1, they’re now in the pipeline headed straight for this issue."

Mac administrator Chris Franson, a technical director at Northeastern University, tells WIRED that he repeated that sequence of events and found that the "root" bug persisted, too. But he noted that rebooting the computer—after updating to 10.13.1 and then re-installing the security fix—did cause the security update to finally kick in and resolve the issue, which MalwareBytes' Reed confirmed. They both note, however, that Apple's security update doesn't tell users to reboot after installing it. "You could easily have someone who doesn't reboot their computer for months," says Reed. "That's not a good thing."

WIRED reached out to Apple about the flaws in its patch, but hasn't yet heard back. On Monday, the company added an extra warning to its security update page for the "root" bug: "If you recently updated from macOS High Sierra 10.13 to 10.13.1, reboot your Mac to make sure the Security Update is applied properly."1

The bug in Apple's bug-fix isn't, of course, as bad as its original "root" problem. For one, it's not clear how many High Sierra users might have installed the security patch before upgrading to the most recent version of the operating system, or even if everyone who did so is affected. Even among those who were affected, many likely have rebooted their computers, which should leave them protected.