A day after it was revealed that macOS High Sierra had a massive security problem that allowed unauthorized users to easily log into a Mac with admin access, Apple has released a patch for the bug.
Yesterday Twitter user Lemi Ergin publicly revealed that if a user types “root” into the User Name field that comes up when making changes to System Preferences, and then hitting enter, the user will gain root-user access. They’ll also be able to log into the Mac anytime simply by going to “Other” at login and typing the “root” username again.
The security flaw apparently only exists on macOS 10.13.0 or later. Apple quickly published a seven-step workaround for preventing anyone from taking control of a Mac this way, and now the company has released an official patch in a security update (download it here). You’ll need to be running the latest version of High Sierra (10.13.1) to implement it.
The notes in the security update say it specifically addresses the flaw. As for the cause, the notes say, “a logic error existed in the validation of credentials. This was addressed with improved credential validation.”
An Apple spokesperson told Mashable:
Security is a top priority for every Apple product, and regrettably we stumbled with this release of macOS.
When our security engineers became aware of the issue Tuesday afternoon, we immediately began working on an update that closes the security hole. This morning, as of 8 a.m., the update is available for download, and starting later today it will be automatically installed on all systems running the latest version (10.13.1) of macOS High Sierra.Â
We greatly regret this error and we apologize to all Mac users, both for releasing with this vulnerability and for the concern it has caused. Our customers deserve better. We are auditing our development processes to help prevent this from happening again.
Security problems and patches happen all the time, although they are rarely this egregious, or this easy to exploit. It’s also just the latest high-profile software problem haunting Apple â the company recently had to patch a bug on iPhones that would substitute the letter “i” with a strange “A[?]” character for some users.