Skip to main content

Apple Patches Serious macOS High Sierra Flaw

by Dennis Fisher on Wednesday November 29, 2017

Contact Us
Free Demo

Apple released an emergency software update on Wednesday to resolve a critical flaw in its latest operating system, macOS High Sierra, that could have let anyone login to machines as root, without a password.

Apple doesn’t do small things.

When it decides to make a phone, it makes the phone. When it decides to build a new headquarters, it builds the thing from Cloudy With a Chance of Meatballs 2. And when Apple makes security mistakes, it makes the kind of mistakes that burn down Twitter for an afternoon and leave Mac security experts baffled.

On Tuesday, word began circulating about a serious bug in macOS High Sierra, the latest version of Apple’s operating system. The vulnerability is not some hard-to-reach weakness that required esoteric knowledge and months of effort to exploit. And it isn’t a crazy flaw pulled out of a leaked NSA document. Rather, it’s about as simple—and serious—as they come: Any user can log in to a High Sierra machine as root, without a password.

Here’s how you can exploit this vulnerability: Type root into the username field, go to the password field and hit enter twice. That’s the extent of it. This is considered sub-optimal behavior.

Apple acknowledged the vulnerability on Tuesday and released an emergency patch for the issue on Wednesday. Before rushing out the patch the company was urging users to set a root password to prevent unauthorized access to affected machines. Any attacker who can obtain physical access to a High Sierra machine can get root access to the computer with the flaw.

After the existence of the vulnerability became public Tuesday, researchers began digging into the details to figure out exactly what was going on. It turns out that the bug is caused by a problem with the way that High Sierra handles accounts that haven’t been enabled yet.

“When a user (or attacker) attempts to log into an account that is not currently enabled (i.e. root), the system will create that account with whatever password the user specifies...even if that password is blank. This is why to perform this attack via the UI, you have to click on 'Unlock' twice,” Patrick Wardle, a Mac security researcher, wrote in an analysis of the vulnerability.

Before the patch was released there were couple of things that users could have done to protect their machines. Apple suggests that users on High Sierra enable the root account themselves and set a strong password for it. Root is disabled by default on macOS, as it is a very powerful account and users not familiar with it can cause problems with their machines if they’re not careful.

“The user account named ‘root’ is a superuser with read and write privileges to more areas of the system, including files in other macOS user accounts. The root user is disabled by default. If you can log in to your Mac with an administrator account, you can enable the root user, then log in as the root user to complete your task,” Apple said.

If you’re running High Sierra on an unmanaged machine, this is something you should do sooner rather than later.

Tags:  Security News

Recommended Resources

The Definitive Guide to DLP

All the essential information you need about DLP in one eBook.

The Ultimate Guide to Data Protection

Everything you need to know about data protection but were afraid to ask.