Apple patches bug that lets users gain root access without password

macOS High Sierra

Apple has quickly released a security patch to fix a flaw in macOS High Sierra that lets a user gain root access without a password. It had previously issued a temporary workaround to patch the vulnerability.

[UPDATED] with a statement from Apple.

You can read the support page for the patch—Security Update 2017-001 here.

Apple is urging customers to “install this update as soon as possible” in the update description.

If you’re running macOS High Sierra, download and install this update immediately.

Just open the Mac App Store and you should be able to see the update available for download.

The vulnerability was discovered by developer Lemi Orhan Ergin, who tweeted about the exploit.
You can easily gain root access in the login screen, System Preferences Users & Groups tab and File Vault.

All one needs to do is enter “root” in the username field, and leave the password field blank, then hit “Enter” a couple of times.

It’s pretty scary stuff.

Prior to Apple’s patch, you can fix the vulnerability by setting a root password.

READ ALSO  Apple Card is a stroke of genius, here’s why

This is easily done via Terminal:

sudo passwd -u root

Apple released a statement regarding the issue:

Security is a top priority for every Apple product, and regrettably we stumbled with this release of macOS.

When our security engineers became aware of the issue Tuesday afternoon, we immediately began working on an update that closes the security hole. This morning, as of 8 a.m., the update is available for download, and starting later today it will be automatically installed on all systems running the latest version (10.13.1) of macOS High Sierra.

We greatly regret this error and we apologize to all Mac users, both for releasing with this vulnerability and for the concern it has caused. Our customers deserve better. We are auditing our development processes to help prevent this from happening again.

Are you running macOS High Sierra?

Tags:

  • Designer. Writer. Webhead. Tech geek. Twitter-addict. Apple. Animal lover. Steve Jobs groupie. Petrolhead. BMW. Porsche. Alfisti. Chelsea FC.

  • Show Comments (0)

You May Also Like

Samsung Galaxy S II

T3 Awards: Samsung Galaxy S II beats Apple iPhone 4

Samsung‘s flagship superphone – the Samsung Galaxy S II (SGSII) has beaten Apple’s iPhone ...

iPhone 7 Digi

Digi keeps things simple: iPhone 7 only on Digi Postpaid 148

  For Digi subscribers or potential Digi port-in customers, congratulations. No need to wreck ...

iPhone-4S

AT&T: 200,000 Preorders of iPhone 4S in First 12 Hours

In a brief statement, AT&T, a leading provider of wireless and high speed internet ...