Apple fixes macOS High Sierra bug just after one day
Nov 30 2017
Notably, the flaw is only found in Macs running on High Sierra and will not affect Macs still on Sierra or previous versions.
Root access allows someone to access your machine as a "superuser" with read and write privileges to many ore system files, including those in other macOS accounts. They can even tamper with Apple ID email addresses and do a handful of malicious actions that could otherwise not be possible without access.
Apple has releasedSecurity Update2017-001, which should prevent users from gaining control over another user's Mac.
"When our security engineers became aware of the issue Tuesday afternoon, we immediately began working on an update that closes the security hole", Apple said in a statement. That quick reaction time is reassuring, much as I'm sure many developers, testers, and deployment teams at Apple had a truly terrible day yesterday. "If a Root User is already enabled, to ensure a black password is not set, please follow the instructions from the "Change the root password" section".
According to Pedestrian, typing "root" and pressing "enter" multiple times will actually bypass the need for a password at the login screen of a mac running High Sierra - 10.13.1.
ArsTechnica spoke to a security researcher called Patrick Wardle from Synack about the bug. "Anything", said Moh. Apple unveiled High Sierra on September 25. Anyone can login as "root" with empty password after clicking on login button several times.
"Oh my god that should not work but it does", another user responded yesterday on the forum. In fairness to Apple, it's the simple kind of error that even security testers might skip checking, because no one expects an error this obvious to get made in the first place. Apple has detailed the content of the update over on its Support website.
Apple has yet to comment on the issue and the company will undoubtedly rush a fix to users, but it's baffling that a security bug this severe would make it into a shipping product.
And yes, if you've been waiting to upgrade to High Sierra, pat yourself on the back.