UPDATE: Apple Releases Patch For Embarrassing MacOS High Sierra Admin Access Exploit

Updated November 29th at 11:52am

Apple has issued a patch for the macOS High Sierra security exploit, less than 24 hours after it was made public. It is addressed in Security Update 2017-001, which Apple encourages all macOS High Sierra users to download immediately. Apple describes the security incident, writing:

Impact: An attacker may be able to bypass administrator authentication without supplying the administrator’s password

Description: A logic error existed in the validation of credentials. This was addressed with improved credential validation.

The original story continues below:

A major bug has been found in macOS High Sierra that could give unauthorized users full admin access to a Mac computer without needing a password to do so. The bug was discovered by developer Lemi Ergin, and it will allow anyone to log into the admin account of the computer using the username "root" and no password.
Macs

By using the bug anyone, can log into the admin account on an unlocked Mac computer. Anyone taking advantage of the bug also gains access to the login screen of a locked Mac. Perhaps the scariest part of this bug is just how simple it is to exploit. The steps required include:

  1. Opening system preferences
  2. Click Users & Groups
  3. Clicking the lock for changes
  4. Typing "root" into the username field
  5. Leaving the password field blank
  6. Clicking unlock

Once those steps are performed, the Mac will unlock and the person can then add a new administrator account to the computer. This bug also allows access to the Mac from the login screen after enabling it in the System Preferences area. Taking advantage of the bug from there requires the user to click "other" and then enter the same "root" username with no password. That path allows the user to see everything on the computer.

mac bug


This flaw is reportedly in the current version of High Sierra 10.13.1 and the 10.13.2 beta. To block this bug from being exploited on your system, you can activate an account with the "root" username and a password. An Apple spokesperson addressed the exploit with the following statement:

We are working on a software update to address this issue. In the meantime, setting a root password prevents unauthorized access to your Mac. To enable the Root User and set a password, please follow the instructions here: https://support.apple.com/en-us/HT204012. If a Root User is already enabled, to ensure a blank password is not set, please follow the instructions from the 'Change the root password' section.

ArsTechnica spoke to a security researcher called Patrick Wardle from Synack about the bug. Wardle believes that this bug could be used by an attacker in a multistage attack. The "root" flaw could be used to gain privileges that could then allow the attacker to gain privileges to exploit the OS in ways that aren't normally possible.

This isn’t the first flaw with High Sierra; there have been several. A bug in High Sierra caused iMessage delivery errors for some users, while another bug in the OS exposed passwords for encrypted APFS volumes. Yet another flaw in the OS allowed programs that weren't approved by Apple the opportunity to steal passwords from the Mac keychain.