Apple Acknowledges, Fixes and Apologizes for macOS Critical “Root” Security Flaw

Author Photo
Nov 29
11Shares
Submit

Apple has released a security fix to the damning no-password macOS High Sierra root vulnerability. The details of this flaw and a temporary workaround was shared in our earlier post. But, Apple has now released Security Update 2017-001 to fix it, making it a critically important update to be installed ASAP.

Apple confirms macOS High Sierra flaw enabled attackers to bypass administrator authentication

With this fix, the iPhone maker has confirmed the existence and the critical nature of this vulnerability. “Security is a top priority for every Apple product, and regrettably we stumbled with this release of macOS,” Apple said in its statement. “When our security engineers became aware of the issue Tuesday afternoon, we immediately began working on an update that closes the security hole.”

macos-high-sierra-10-13-3-beta-1RelatedmacOS High Sierra 10.13.3 Beta 1 Released for Developers

The company has added that the update will be “automatically installed on all systems running the latest version (10.13.1) of macOS High Sierra” starting later today. While Apple has issued an apology and has said that the company greatly regrets this error, the latest sloppiness raises more concerns about the security of Apple products. The company has already fixed at least two other password-related security issues in High Sierra since its release in September.

Hopefully, this episode will push more security researchers to start looking into Apple products and the Cupertino tech giant will also be more cautious in the future. Apple did say that it is currently auditing its “development processes to help prevent this from happening again.”

Here is the changelog of this security update being released to fix the no-password root vulnerability.

macos-high-sierra-10-13-2-final-mainRelatedDownload macOS High Sierra 10.13.2 for Your Mac Right Now

SECURITY UPDATE 2017-001

Released November 29, 2017

Directory Utility

Available for: macOS High Sierra 10.13.1

Not impacted: macOS Sierra 10.12.6 and earlier

Impact: An attacker may be able to bypass administrator authentication without supplying the administrator’s password

Description: A logic error existed in the validation of credentials. This was addressed with improved credential validation.

CVE-2017-13872

When you install Security Update 2017-001 on your Mac, the build number of macOS will be 17B1002. Learn how to find the macOS version and build number on your Mac.

If you require the root user account on your Mac, you can enable the root user and change the root user’s password.

Submit