Apple has released a security update for macOS High Sierra that fixes the (terrifying) root login bug that was first exposed yesterday. The problem appears to have been simple to fix, as Apple had this security patch out in near-record time. Anyone running macOS High Sierra 10.13.1 should make sure they go download and install the update right now.
The root login bug revealed yesterday was the holy grail of security flaws. It allowed anyone to login to a Mac on the root account, simply by entering username “root” and leaving the password field empty. Once someone has root access, there’s basically no limitations to what they can do. Root is a “superuser” account with read and write privileges over the entire system, including other user accounts. That means that anyone with 30 seconds and physical access to your machine can install programs, read and write files and system files, and do basically anything else you can imagine.
Apple confirmed yesterday that it was working on a software update, but didn’t give any further details about the security flaw or what caused it. In the documentation for the security patch today, Apple tersely admitted the existence of the bug, and blamed it on a “logic error” in the validation of credentials:
Impact: An attacker may be able to bypass administrator authentication without supplying the administrator’s password
Description: A logic error existed in the validation of credentials. This was addressed with improved credential validation.
In addition, Apple issued a statement alongside the update:
Security is a top priority for every Apple product, and regrettably we stumbled with this release of macOS.
When our security engineers became aware of the issue Tuesday afternoon, we immediately began working on an update that closes the security hole. This morning, as of 8 a.m., the update is available for download, and starting later today it will be automatically installed on all systems running the latest version (10.13.1) of macOS High Sierra.
We greatly regret this error and we apologize to all Mac users, both for releasing with this vulnerability and for the concern it has caused. Our customers deserve better. We are auditing our development processes to help prevent this from happening again.
To install the security update on your Mac, open the App Store, and click on the Updates tab in the top right. You should see an update for Mac firmware near the top of that list; click update to download and install the patch. As always, it’s a good idea to have your important data backed up, especially since this software update has been rushed out without a chance to extensively test it.