Published: Sun, December 03, 2017
Research | By Raquel Erickson

Updating macOS High Sierra Could Reactivate Root Password Vulnerability

Updating macOS High Sierra Could Reactivate Root Password Vulnerability

Furthermore, however, the root security fix doesn't reinstall as seamlessly for those who are installing again after updating their machine to macOS 10.13.1.

The macOS High Sierra bug was discovered last week by a member of the infrastructure staff at iyzico, a Turkish payment management platform provider, according to Lemi Orhan Ergin, a "software craftsman" at the company.

As Wired reports, Apple scrambled to release a macOS High Sierra security update earlier this week to patch up a critical flaw in the system's login process, which, as mentioned, allowed anyone to unlock Macs without even entering a password.

A few days ago, it was discovered anyone could access locked settings on a Mac using the username 'root, ' which doesn't need a password and subsequently unlock the computer.

The vulnerability was disclosed by a user on Tuesday on Twitter.


The solution is a simple one - but one that has not been made sufficient clear by Apple. A new report from Wired has revealed that users who were still on macOS High Sierra 10.13 - and installed the rushed security patch for the root exploit - saw the effects of the patch completely undone by upgrading to macOS High Sierra 10.13.1. That would permit unfettered access to the file system for a Mac, exposing private documents on that particular computer. As a temporary measure Apple recommends to activate the root user and set the password manually. Even if it's not as abysmal as the original root bug, this still reflects badly on the security of Apple's OS, which the company has long boasted as one of the elements that make Macs better than PCs.

Developers can download the macOS Developer Beta Access Utility from the link below... A user responding to a question about creating an admin account in the operating system noted on November 13 that one solution was to log in at startup with the username "root" and an empty password. "This is really REALLY bad".

Several experts have lambasted Apple for allowing the vulnerability in the first place.

In the case of a fix for this latest vulnerability, "I would imagine [Apple] will be pushing it out as a high priority", Cluley said.

Like this: