Apple fixes root password bug: 'Install this update as soon as possible'

Well, that was fun while it lasted…

Install this update as soon as possible

Well, to their credit, it didn't take Apple long to fix their horrendous bug that allowed *anyone* to log into computers running macOS High Sierra with admin rights, without needing to know a password.

The security update - which Apple advises should be installed "as soon as possible" - is being pushed out via the Mac App Store.

Here is how Apple is describing the vulnerability:

Directory Utility

Available for: macOS High Sierra 10.13.1

Not impacted: macOS Sierra 10.12.6 and earlier

Impact: An attacker may be able to bypass administrator authentication without supplying the administrator’s password

Description: A logic error existed in the validation of credentials. This was addressed with improved credential validation.

CVE-2017-13872

AppstoreTo install the security update, simply open Mac App Store and click on the "Updates" tab. All you have to do then is click on "Update", and you'll be sorted.

Kudos to Apple for readying a fix so quickly, but a security hole as big as this should never have got past quality control in the first place.

For more discussion on this topic, be sure to listen to this episode of the Smashing Security podcast:

Subscribe: Apple Podcasts | Google Play | Overcast | Stitcher | RSS for you nerds.

Tags: , , , , ,

Smashing Security podcast
Check out "Smashing Security", the new weekly audio podcast, with Graham Cluley, Carole Theriault, and special guests from the world of information security.

"Three people having fun in an industry often focused on bad news" • "It's brilliant!" • "The Top Gear of computer security"

Latest episodes:

, , , , ,

4 Responses

  1. AJC

    November 29, 2017 at 8:35 pm #

    Clearly the Apple chimpanzees were concentrating too much on their latest Shakespearean pastiche!

  2. BillBlagger

    November 30, 2017 at 12:22 pm #

    Appears the 'fix' breaks file sharing for some
    https://www.theguardian.com/technology/2017/nov/30/apple-macos-high-sierra-fix-breaks-file-sharing-password-security-flaw-emergency-patch

  3. Kevin H

    December 2, 2017 at 6:07 pm #

    I don't see how what is described is possible because when you try to log in to a locked mac you cannot enter an arbitrary username – you have to click on an icon for a username. If you have enabled the root user then you get an "other" icon to click on and then you can enter username/password, but if the root user is disabled then you don't get that option. I tried all kinds of things but was unable to get the login prompt for a username. Did I miss something?

    • Graham Cluley in reply to Kevin H.

      December 4, 2017 at 9:29 am #

      If you're not seeing it at the login prompt then just wait until you try to do something which requires elevated privileges after you've logged in. For instance, tinkering with preferences or installing an application.

      At that point you're asked to enter credentials with admin privileges and this "root" trick could have been used.

Leave a Reply