Apple Acknowledges, Fixes and Apologizes for macOS Critical “Root” Security Flaw
Apple has released a security fix to the damning no-password macOS High Sierra root vulnerability. The details of this flaw and a temporary workaround was shared in our earlier post. But, Apple has now released Security Update 2017-001 to fix it, making it a critically important update to be installed ASAP.
Apple confirms macOS High Sierra flaw enabled attackers to bypass administrator authentication
With this fix, the iPhone maker has confirmed the existence and the critical nature of this vulnerability. "Security is a top priority for every Apple product, and regrettably we stumbled with this release of macOS," Apple said in its statement. "When our security engineers became aware of the issue Tuesday afternoon, we immediately began working on an update that closes the security hole."
The company has added that the update will be "automatically installed on all systems running the latest version (10.13.1) of macOS High Sierra" starting later today. While Apple has issued an apology and has said that the company greatly regrets this error, the latest sloppiness raises more concerns about the security of Apple products. The company has already fixed at least two other password-related security issues in High Sierra since its release in September.
Hopefully, this episode will push more security researchers to start looking into Apple products and the Cupertino tech giant will also be more cautious in the future. Apple did say that it is currently auditing its "development processes to help prevent this from happening again."
Here is the changelog of this security update being released to fix the no-password root vulnerability.
SECURITY UPDATE 2017-001
Released November 29, 2017
Available for: macOS High Sierra 10.13.1
Not impacted: macOS Sierra 10.12.6 and earlier
Impact: An attacker may be able to bypass administrator authentication without supplying the administrator’s password
Description: A logic error existed in the validation of credentials. This was addressed with improved credential validation.
If you require the root user account on your Mac, you can enable the root user and change the root user’s password.