This morning Apple released a fix for the flaw discovered yesterday in their macOS High Sierra system. Anyone using High Sierra would potentially be at risk of data theft via unauthorized login without this software update today. The security flaw allowed any user to log in to an Apple computer by logging in with the self-created user ROOT.
The ROOT login flaw is present in all versions of macOS High Sierra – any sort of High Sierra machine you might have, that is to say. This does NOT affect any other version of macOS or OS X. No older machines are affected without High Sierra onboard.
• Impacted: macOS High Sierra 10.13.1
• Not impacted: macOS Sierra 10.12.6 and earlier
• CVE-ID: CVE-2017-13872
DON’T SEE THE UPDATE YET? Fix this flaw another way, quick
Users were informed today that they should update their Apple computer as soon as possible. In fact the update as it appears as an alert from Apple includes the text: “Install this update as soon as possible.” The rest shows “Security Update 2017-001” – the first big security update of this kind this year (thankfully the only one needed.)
This security update “is recommended for all users and improves the security of macOS.” The security update notes that go along with this update from Apple include: “Description: A logic error existed in the validation of credentials. This was addressed with improved credential validation.” Apple listed Impact as “An attacker may be able to bypass administrator authentication without supplying the administrator’s password.”
This flaw was discovered yesterday much to the shock of social networks and tech blogs alike. Twitter lit up with possibilities, including logging in through Remote Desktop and VNC – tested and viable, too. Apple developers took a matter of hours before finding the culprit behind this situation, fixing it, and issuing an update to all computers with macOS High Sierra onboard.