Last week, Apple was left red-faced after it was discovered a bug in macOS High Sierraallowed anyone to gain root access to the system without a password. The company quickly released a security patch to fix the problem, but it also needed updating with an advisory because it could prevent file-sharing on the Mac. Now another problem has been identified, and it allows the root bug to be reactivated.
As Betanews reports, it turns out when Apple released the security patch it assumed Mac owners would apply everything in the correct order. Assuming never ends well and so further clarification was required from Apple as to how to go about applying the patch.
The patch assumed your Mac is already running macOS 10.13.1, but that isn’t the case for everyone. Some users applied the patch while running 10.13.0. Everything seems fine afterwards, but then the 10.13.1 update gets installed and the root bug is reintroduced. User wouldn’t realize this and Apple didn’t state that would happen.
Another oversight from Apple is assuming everyone would reboot their Mac after applying the security patch. If you don’t, apparently the patch isn’t applied properly and your Mac is still vulnerable.
In order to ensure your Mac is fully protected, be sure to upgrade to macOS 10.13.1 first, apply the security patch, and reboot your machine. if you have already gone through the update process and now aren’t sure if it worked or not, there’s an easy way to check. Simply visit the Apple support page for the update and follow the steps there using the Terminal app to confirm you are secure.
A pretty major security flaw has been found in macOS High Sierra, which allows people to log into a Mac running the latest operating system by simply using ‘root’ as a user name, and not having to enter in a password.
Worst of all, logging in with this account gives the user full admin rights, which means they can change system settings, and potentially wreak havoc on the Mac.
Update: Apple has now released a fix for this update, so you should implement it immediately. To do this open up the Mac App Store and click on ‘Updates’. Select the security update (2017-001) then click ‘Update’. You may also want to follow the steps listed below to make sure you have a root account with a password you have set.
How to change the root password in macOS High Sierra
First of all, open the Apple menu by clicking the Apple icon in the top-left hand corner of the screen, then click on ‘System Preferences’.
From there, click on either ‘Users & Groups’ or ‘Accounts’. You should see a padlock icon. Click it, then enter in the name and password for your administrator account. Click ‘Login Options’ then ‘Edit’.
Next, click ‘Open Directory Utility’, then click the padlock icon in the window that appears. You’ll need to enter in your administrator name and password again, then open the menu bar in Directory Utility and click on ‘Edit’ then ‘Change Root Password…’
Now, choose a password for the root user account. It’s worth making this an easy to remember – but hard to guess – password. The root user account is an incredibly powerful account, so you don’t want most people being able to log into it.