Apple fixes macOS bug allowing full access without a password (updated)
It didn’t take long for Apple to patch that nasty macOS High Sierra flaw that let intruders gain full administrator access (aka root) on your system. The company has released Security Update 2017-001, which should prevent people from gaining control over a Mac just by putting “root” in the username and hitting the Return key a few times. Needless to say, you’ll want to apply this fix as soon as you can if you’re running Apple’s latest desktop OS.
The practical threat of this exploit is fairly low, as it requires that someone have physical access to your Mac. You could also thwart it by setting a root password. The concern, of course, is that this is a disconcertingly simple trick — it wouldn’t take much for someone to access your unattended MacBook in a coffee shop. As good as it is that Apple is fixing the bug quickly, it ideally wouldn’t have been there in the first place.
Update: Apple has issued a statement on the patch. It has apologized for the flaw, noting that “customers deserve better,” and is reviewing its “development processes” to prevent a repeat. Also, you’ll soon have this update as a matter of course: Apple will automatically install it on all systems running macOS 10.13.1 sometime later today. You can read the full statement below.
“Security is a top priority for every Apple product, and regrettably we stumbled with this release of macOS.
“When our security engineers became aware of the issue Tuesday afternoon, we immediately began working on an update that closes the security hole. This morning, as of 8 a.m., the update is available for download, and starting later today it will be automatically installed on all systems running the latest version (10.13.1) of macOS High Sierra.
“We greatly regret this error and we apologize to all Mac users, both for releasing with this vulnerability and for the concern it has caused. Our customers deserve better. We are auditing our development processes to help prevent this from happening again.”