Apple has rushed a patch for macOS High Sierra to the Apple Security Updates website. According to the webpage, a vulnerability allowed attackers “to bypass administrator authentication without supplying the administrator’s password.”
Dear @AppleSupport, we noticed a *HUGE* security issue at MacOS High Sierra. Anyone can login as “root” with empty password after clicking on login button several times. Are you aware of it @Apple?
— Lemi Orhan Ergin (@lemiorhan) November 28, 2017
(initial tweet announcing problem)
Developer Lemi Orhan Ergin first tweeted the issue to @AppleSupport Tuesday, Nov. 28. Essentially, anyone logged into a machine with the latest macOS could go to System Preferences, enter “root” as the user name, leave the password blank, and gain administrative privileges. Even a user logged in as a guest could receive administrative permissions because of the bug.
Apple responded quickly to the tweet and released an update in less than 24 hours. In the time between the initial tweet and the fix, helpful developers gave advice on how to change a root password and disable guest account access.
The patch can be found by going to the App Store and clicking on Updates. Many affected users will have seen the notification pop up on their desktop by now. Apple urges users to install the update as soon as possible, and the update will automatically install later today for those who have not yet done so. The update does not require a restart to take effect.
Apple was clearly embarrassed by the mistake and issued the following statement to various outlets:
“Security is a top priority for every Apple product, and regrettably we stumbled with this release of macOS.
When our security engineers became aware of the issue Tuesday afternoon, we immediately began working on an update that closes the security hole. This morning, as of 8 a.m., the update is available for download, and starting later today it will be automatically installed on all systems running the latest version (10.13.1) of macOS High Sierra.
We greatly regret this error and we apologize to all Mac users, both for releasing with this vulnerability and for the concern it has caused. Our customers deserve better. We are auditing our development processes to help prevent this from happening again.”
The incident showed the balancing act required of all computer users. Software updates fix vulnerabilities, but can also create new bugs. Still, most experts recommend installing software updates as soon as they become available. And, on that note, if you haven’t installed the patch for High Sierra 10.13.1 yet, this would be a good time to do so.
