Apple fixes root password bug: ‘Install this update as soon as possible’

Graham Cluley

Apple fixes root password bug: 'Install this update as soon as possible'

Install this update as soon as possible

Well, to their credit, it didn’t take Apple long to fix their horrendous bug that allowed *anyone* to log into computers running macOS High Sierra with admin rights, without needing to know a password.

The security update – which Apple advises should be installed “as soon as possible” – is being pushed out via the Mac App Store.

Here is how Apple is describing the vulnerability:

Directory Utility

Available for: macOS High Sierra 10.13.1

Not impacted: macOS Sierra 10.12.6 and earlier

Impact: An attacker may be able to bypass administrator authentication without supplying the administrator’s password

Description: A logic error existed in the validation of credentials. This was addressed with improved credential validation.

CVE-2017-13872

AppstoreTo install the security update, simply open Mac App Store and click on the “Updates” tab. All you have to do then is click on “Update”, and you’ll be sorted.

Kudos to Apple for readying a fix so quickly, but a security hole as big as this should never have got past quality control in the first place.

For more discussion on this topic, be sure to listen to this episode of the Smashing Security podcast:

Smashing Security #054: 'A great big fat macOS bug'

Listen on Apple Podcasts | Google Podcasts | Other... | RSS
More episodes...

Graham Cluley Graham Cluley is a veteran of the anti-virus industry having worked for a number of security companies since the early 1990s when he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows. Now an independent security analyst, he regularly makes media appearances and is an international public speaker on the topic of computer security, hackers, and online privacy. Follow him on Twitter at @gcluley, or drop him an email.

4 Replies to “Apple fixes root password bug: ‘Install this update as soon as possible’”

  1. Appears the 'fix' breaks file sharing for some
    https://www.theguardian.com/technology/2017/nov/30/apple-macos-high-sierra-fix-breaks-file-sharing-password-security-flaw-emergency-patch

  2. I don't see how what is described is possible because when you try to log in to a locked mac you cannot enter an arbitrary username – you have to click on an icon for a username. If you have enabled the root user then you get an "other" icon to click on and then you can enter username/password, but if the root user is disabled then you don't get that option. I tried all kinds of things but was unable to get the login prompt for a username. Did I miss something?

    1. If you're not seeing it at the login prompt then just wait until you try to do something which requires elevated privileges after you've logged in. For instance, tinkering with preferences or installing an application.

      At that point you're asked to enter credentials with admin privileges and this "root" trick could have been used.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Never miss a thing. Sign up for the free GCHQ newsletter from Graham Cluley.
GET UPDATES