Apple patches egregious macOS High Sierra security flaw
A day after it was revealed that macOS High Sierra had a massive security problem that allowed unauthorized users to easily log into a Mac with admin access, Apple has released a patch for the bug.
Yesterday Twitter user Lemi Ergin publicly revealed that if a user types "root" into the User Name field that comes up when making changes to System Preferences, and then hitting enter, the user will gain root-user access. They'll also be able to log into the Mac anytime simply by going to "Other" at login and typing the "root" username again.
This Tweet is currently unavailable. It might be loading or has been removed.
The security flaw apparently only exists on macOS 10.13.0 or later. Apple quickly published a seven-step workaround for preventing anyone from taking control of a Mac this way, and now the company has released an official patch in a security update (download it here). You'll need to be running the latest version of High Sierra (10.13.1) to implement it.
The notes in the security update say it specifically addresses the flaw. As for the cause, the notes say, "a logic error existed in the validation of credentials. This was addressed with improved credential validation."
An Apple spokesperson told Mashable:
Security is a top priority for every Apple product, and regrettably we stumbled with this release of macOS.
When our security engineers became aware of the issue Tuesday afternoon, we immediately began working on an update that closes the security hole. This morning, as of 8 a.m., the update is available for download, and starting later today it will be automatically installed on all systems running the latest version (10.13.1) of macOS High Sierra.
We greatly regret this error and we apologize to all Mac users, both for releasing with this vulnerability and for the concern it has caused. Our customers deserve better. We are auditing our development processes to help prevent this from happening again.
Security problems and patches happen all the time, although they are rarely this egregious, or this easy to exploit. It's also just the latest high-profile software problem haunting Apple -- the company recently had to patch a bug on iPhones that would substitute the letter "i" with a strange "A[?]" character for some users.
Topics Apple Cybersecurity
Pete Pachal was Mashable’s Tech Editor and had been at the company from 2011 to 2019. He covered the technology industry, from self-driving cars to self-destructing smartphones.Pete has covered consumer technology in print and online for more than a decade. Originally from Edmonton, Canada, Pete first uploaded himself into technology journalism at Sound & Vision magazine in 1999. Pete also served as Technology Editor at Syfy, creating the channel's technology site, DVICE (now Blastr), out of some rusty HTML code and a decompiled coat hanger. He then moved on to PCMag, where he served as the site's News Director.Pete has been featured on Fox News, the Today Show, Bloomberg, CNN, CNBC and CBC.Pete holds degrees in journalism from the University of King's College in Halifax and engineering from the University of Alberta in Edmonton. His favorite Doctor Who monsters are the Cybermen.
