Major security flaw discovered in Mac OS High Sierra: UPDATE - Apple issues emergency fix

Nov. 29, 2017 06:14AM EST

UPDATE:

Hours after the story first broke of a major security flaw in macOS High Sierra, Apple has issued an update to fix the problem.

Available now, the update can be downloaded by opening the App Store app, then clicking Updates and installing 'Security Update 2017-001'. Apple says the update "is recommended for all users and improves the security of macOS".

While that is true, the update actually fixes a major security flaw which made it possible for anyone to log into a locked Mac with no need for any password at all. Once logged in, they were given 'root' access, meaning they had administrative privilege and access to the entire system.

GearBrain found the update took between four and five minutes to download and install. We also found that users running the public beta of High Sierra must make sure their operating system is updated before looking for the security fix, as it will not appear in the App Store's Updates page until you are running Public Beta 5 or later.

macOS High Sierra security updateScreenshot

ORIGINAL STORY

Apple is working to fix a major bug which gives full administrator privilege to anyone using a Mac in a matter of seconds and without a password.

The bug is present in Apple computers running the company's newest operating system, macOS High Sierra. Once exploited, the flaw gives anyone the ability to make themselves an administrator account on the machine, which comes with the power to install potentially malicious software, reset passwords, view hidden files and delete existing user accounts.

Discovered by Turkish computer developer Lemi Ergin and revealed on Twitter, the 'hack' is incredibly simple to perform. From the login screen, click 'other' next to the main user's account, then enter 'root' as the username and leave the password field blank. Then press enter. Sometimes several presses of enter are required, but the outcome is the same - you are logged into the Mac's 'root' account, which has full administrator privilege.

You can access it via System Preferences>Users & Groups>Click the lock to make changes. Then use "root" with no password. And try it for several times. Result is unbelievable! pic.twitter.com/m11qrEvECs
— Lemi Orhan Ergin (@lemiorhan) November 28, 2017

If you have the 'other' account option switched off, then you are protected to some extent. However, the hack can also be performed while the Mac is left unattended while logged into the main user's account. Head to System Preferences, then click Users & Groups and click on the padlock. Then enter 'root' and leave the password blank. Click Unlock twice and the root account is created. Both methods are startlingly simple and GearBrain was able to verify that both work as described on a 2016 MacBook Pro running macOS High Sierra.

Researchers have found an attacker doesn't even need physical access to exploit the bug. Patrick Wardle reports that in some cases, if Screen Sharing is enabled on the target Mac, a hacker can gain access to the root account.

Computer security expert Graham Cluley said in a blog post about the flaw: "This is pretty bad of Apple...Once someone has root on your Mac, they have God-like powers over the entire system."

Thankfully, before Apple issues a fix via a software update, there is a temporary solution. As explained by an Apple Support document this involves giving that root account a password which is not the blank default.

Apple said in a statement: "We are working on a software update to address the issue."