Apple just sh** the bed. Seriously. There’s a huge security vulnerability in macOS High Sierra although calling it a “vulnerability” is like saying an atomic bomb is similar to a firecracker. Lemi Orhan Ergin (founder of Software Craftsmanship Turkey) apparently discovered the flaw and publicly posted about it to Apple on Twitter. It’s not clear if he gave Apple a heads-up prior to his tweet.
Apple, has released a high priority patch to address this issue and a rare apology:
Security is a top priority for every Apple product, and regrettably we stumbled with this release of macOS.
When our security engineers became aware of the issue Tuesday afternoon, we immediately began working on an update that closes the security hole. This morning, as of 8 a.m., the update is available for download, and starting later today it will be automatically installed on all systems running the latest version (10.13.1) of macOS High Sierra.
We greatly regret this error and we apologize to all Mac users, both for releasing with this vulnerability and for the concern it has caused. Our customers deserve better. We are auditing our development processes to help prevent this from happening again.
After applying the patch (Security Update 2017-001), your build number should be 17B1002. The patch is available in the Mac App Store under the Updates section and will also be pushed out automatically as long as you have High Sierra version 10.13.1 installed. The details about the patch are posted here on Apple’s support page.
What Is It?
So….basically….the bug lets you log in as a system administrator with full privileges, without needing a password. Woops. I don’t want to go through the steps here but there are a ton of articles if you want to check it out for yourself. Basically the problem is that the sysadmin account has no password set (but is disabled). However, through this vulnerability, this hidden admin account becomes active.
Holy security fail, Batman!
What Do I Do?
Apple will certainly fast-track a patch to fix this massive problem. In the meantime, there’s a workaround fix which is basically to make sure the system administrator account has a password of your own choosing (aka make it a good one but anything is better than a blank password).
First step is go into your Users & Groups section in the System Preferences.
There you click on Login Options, and then the Join button.
That will bring up the Directory Utility. From there click on the “Edit” menu option on the toolbar. All you have to do here is make sure the Root User is enabled and then change the password (you can’t change the password unless the Root User is enabled)