Nov 29, 2017

Update your Mac right now—or Apple will

By Kyle Foley

In a move rarely done by the company, Apple is pushing a fix for all users running macOS 10.13.1 today. And for good reason—a big vulnerability, tweeted out by developer Lemi Ergin yesterday, let anyone with access to a system gain root superuser privileges without needing a password:

The beauty of the bug was its simplicity: When asked for credentials to log into an administrator account, all a user had to do was enter "root" as the user name, leave the password blank, and click on the "Unlock" button a few times. Boom. Administrator access, which a person could then use to create a new administrator account and unlock the system at will.  

Apple has released a statement about the vulnerability this morning:

"When our security engineers became aware of the issue Tuesday afternoon, we immediately began working on an update that closes the security hole. This morning, as of 8 a.m., the update is available for download, and starting later today it will be automatically installed on all systems running the latest version (10.13.1) of macOS High Sierra.

We greatly regret this error and we apologize to all Mac users, both for releasing with this vulnerability and for the concern it has caused. Our customers deserve better. We are auditing our development processes to help prevent this from happening again."

In addition to downloading Apple's update—or having your device updated for you—it wouldn't hurt to set a root password for your system if you haven't already done so (which would have also protected your system from this bug).  Here's how: