Security Flaw Lets Anyone Gain Access To Macs Running High Sierra

A newly found security flaw in the latest edition of Apple’s macOS operating system allows anyone to gain administrative access to a Mac — without using a password.

Bhubeth Bhajanavorakul / Shutterstock.com

The major flaw — and the extremely simple procedure on how to gain control of a Mac — were first revealed by software developer Lemi Orhan Ergin on Twitter.

The flaw has currently only been found in the High Sierra version of macOS. Users with older macOS versions should be unaffected.

This is a major flaw that would allow complete access to anyone who steals a Mac — or uses a Mac without authorization — if that Mac is running High Sierra. Anyone can enter “root” as the user name and take control of the Mac without even entering a password.

The flaw was also confirmed by ZDNet, which saw the issue in macOS High Sierra 10.13.0, 10.13.1 (the current release), and even the macOS High Sierra 10.13.2 beta. As ZDNet’s Steven J. Vaughan-Nichols wrote, “This is an all-time security failure. I cannot think of anything to match it. All Macs running up-to-date macOS are wide-open for attacks.”

How To Fix

Apple has acknowledged the flaw, and is working on a fix to be issued in a future update — hopefully very soon. But until that update arrives, there’s another way to secure your Mac.

Apple has published a new support document named “How to enable the root user on your Mac or change your root password.” The document gives users steps on how to enable or disable the root user, log in as the root user, or change the root password. The last option is probably the best fix right now — once a password is set for root, it can no longer be accessed with a blank password.

This is a shocking flaw from Apple, but as ZDNet has pointed out, it’s not the first password bug seen in High Sierra thus far. Hopefully, Apple can get its act together and properly secure the latest edition of macOS very soon.

UPDATE: Apple has released a patch to fix the flaw. The patch is currently available for download.

Comments

LEAVE A REPLY

Please enter your comment!
Please enter your name here