A security flaw has been detected in Mac operating systems High Sierra 10.13 or greater. This vulnerability allows anyone to log into a Mac device and change administrative settings by typing in the username “root” with no password. Users should apply the newly published Apple Security Update described at support.apple.com/en-us/HT208315 as soon as possible.
Systems at risk:
- Users with Mac operating system updated High Sierra 10.13 or greater;
- Systems with local console access, such as shared computers in teaching or lab environments, where users are not privileged with root access; and
- Systems with Apple Remote Desktop (ARD) enabled.
Systems not at risk:
- Mac operating systems that are prior to 10.13
Recommended actions
Users with High Sierra 10.13 or greater should visit the Apple App Store and install the 2017-001 update as soon as possible.
A temporary fix is to create a root account, then set a password and leave it enabled; instructions can be found online.
More information can be found at the following websites:
- theverge.com/2017/11/29/16715246/apple-releases-high-sierra-root-security-patch
- macrumors.com/how-to/temporarily-fix-macos-high-sierra-root-bug/
- pocket-lint.com/news/142980-macos-high-sierra-root-bug-allows-admin-access-without-a-password-who-is-affected-and-is-there-a-fix
- businessinsider.com/macos-root-bug-fix-2017-11