Fix for password security flaw on macOS High Sierra
Technology blogs and other news channels are today reporting a significant security flaw on the latest version of the Apple Mac operating system (macOS High Sierra). Where computers have the root user account enabled without a password set, reports say that it is possible to gain unauthorised access to the device and any data it contains. Note: the root user is disabled by default so this would only be a concern where an administrator account has been used to enable it, the Apple advice being:
“The root user account is not intended for routine use and is disabled by default. Its privileges allow changes to files that are required by your Mac. You should disable the root user after completing your task.”
Any Mac users who have installed recent High Sierra updates (Mac OS versions 10.13.0, 10.13.1 and 10.13.2 beta) are asked to urgently install the following security update.
How to install the security update:
Open Apple Store application > click on Updates. The following update should appear that can be installed to fix the security flaw.
Security Update 2017-001
Released: November 29, 2017
Available for: macOS High Sierra 10.13.1
Not impacted: macOS Sierra 10.12.6 and earlier
Impact: An attacker may be able to bypass administrator authentication without supplying the administrator’s password
Description: A logic error existed in the validation of credentials. This was addressed with improved credential validation