Sidebar Sidebar
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

Apple Releases macOS High Sierra Security Update to Fix Root Password Vulnerability

MacRumors

MacRumors

macrumors bot
Original poster
Apr 12, 2001
63,691
31,090



Apple today released Security Update 2017-001 to fix a serious vulnerability that enables access to the root superuser account with a blank password on any Mac running macOS High Sierra version 10.13.1.

rootbug.jpg

The critical bug, which gained attention after it was tweeted by developer Lemi Ergin yesterday, lets anyone gain administrator privileges by simply entering the username "root" and a blank password in System Preferences > Users & Groups.

The security update is rolling out on the Mac App Store now, and it should be installed by all users running macOS High Sierra as soon as possible. Regardless, starting later today, Apple said the security update will be automatically installed on all Macs running macOS High Sierra 10.13.1.

Apple has since apologized for the vulnerability in a statement issued to MacRumors:
Security is a top priority for every Apple product, and regrettably we stumbled with this release of macOS.

When our security engineers became aware of the issue Tuesday afternoon, we immediately began working on an update that closes the security hole. This morning, as of 8 a.m., the update is available for download, and starting later today it will be automatically installed on all systems running the latest version (10.13.1) of macOS High Sierra.

We greatly regret this error and we apologize to all Mac users, both for releasing with this vulnerability and for the concern it has caused. Our customers deserve better. We are auditing our development processes to help prevent this from happening again.
Click to expand...
The vulnerability does not affect macOS Sierra or any other previous version of the operating system.

Article Link: Apple Releases macOS High Sierra Security Update to Fix Root Password Vulnerability
 
Article Link
https://www.macrumors.com/2017/11/29/apple-fixes-root-password-bug-security-update/
  • Like
Reactions: Avieshek, bwintx and 0003939
KdParker

KdParker

macrumors 601
Oct 1, 2010
4,793
998
Everywhere
Wow....that is surprising. Most user will never login as root on their MAC.
But why would it have ever been set to blank?
 
T

T909

Suspended
Aug 16, 2008
196
61
Europe
Well, at least that I discovered now that I don't have any psychic powers. I thought it'll take them a few good weeks to fix this issue.
 
Fall Under Cerulean Kites

Fall Under Cerulean Kites

macrumors 6502
May 12, 2016
272
852
Amazing that this bug existed in the first place, however equally amazing response from Apple in terms of how quickly they released a fix.

As embarassed as I am for Apple for this bug popping up, I’m quite certain that Windows would not have benefited from such a quick correction.
 
  • Like
Reactions: simonmet
D

discuit

macrumors regular
Jan 23, 2009
126
100
This is actually an argument in favor of public disclosure of vulnerabilities. Lemi Orhan Ergin was catching a lot of criticism yesterday for posting it on twitter, but if this bug had been reported privately, it would have taken much longer to fix, while malicious actors would be able to exploit it all along.
 
  • Like
Reactions: RuralJuror, nt5672, simonmet and 7 others
You must log in or register to reply here.
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.
Top Bottom