Versions 10.13 and 10.13.1 of Apple’s High Sierra Mac operating system have a major flaw that makes it possible to completely bypass all security features This can be exploited from the login window or any authentication prompt, if “root” is entered for the username and the password is left blank. After this has been done, the Mac can be accessed as root without a password either locally or remotely via the command line.
While this is an unprecedented Apple security bug, this risk is minimal for most Mac users. Here’s my need-to-know assessment:
- Physical access to the Mac is required to “activate” this vulnerability*
- News of this bug went viral on 11/28/17
- In less than 24 hours Apple released a patch to fix it: Security Update 2017-001
*The ability to access the Mac as root without a password is one that requires “activation”, and by activation I mean someone with physical access to the Mac would first need to actually enter “root” for the username at the login window or authentication prompt, click into the blank password field, and attempt to continue multiple times (the first few will fail). If this hasn’t previously been done, the Mac is safe from this bug.
Now that this flaw is public knowledge, Macs running High Sierra 10.13 or 10.13.1 should have the Security Update 2017-001 update applied ASAP. While the threat is limited in scope, it makes publicly accessible unpatched Macs a prime target. Once macOS 10.13.2 is released this will all be water under the bridge, because Apple rolls previous security patches into macOS updates.
A few additional items of note:
- This can only potentially affect Macs that have never had the root user enabled.
- The Security Update 2017-001 will disable the root user if it has been enabled in the past. Apple’s instructions for enabling/re-enabling the root user are posted here.
- There are reports of the Security Update 2017-001 breaking file sharing. This is limited to Macs running High Sierra 10.13.1, sharing out files via SMB to other Macs. 12/1/17 UPDATE: Apple has posted a fix for this problem.
- This flaw is not limited to root, it also extents to other faceless user accounts like guest, _applepay, and _uucp. See this Objective-See blog post for more details on the underlying cause, including what Apple did wrong.
- Apple has released a followup statement that includes: “We greatly regret this error and we apologize to all Mac users, both for releasing with this vulnerability and for the concern it has caused. Our customers deserve better. We are auditing our development processes to help prevent this from happening again.”