macOS High Sierra ‘root’ security bug reappears if you recently upgraded from macOS 10.13 to 10.13.1

Update 12/1/2017: A Wired report states that users of macOS
10.13 High Sierra who installed the root security update will
need to reinstall the update and restart the Mac if the
operating system is upgraded to macOS 10.13.1 High Sierra.
Apple has details in a support document to see if the update has
properly installed.

Update 11/29/17: Apple has released an official fix for the issue via a security
update. You can install the update by launching the App Store
app, and then click on Updates. Press Command-R to reload the
Updates page to see new updates. It will appear as “Security
Update,” and you can click on the Update button to install it.
Your Mac does not need to restart.

If you have problems with file sharing after installing the
update, here are instructions on repairing file sharing.

Apple issued the following statement to Macworld:

Security is a top priority for every Apple product,
and regrettably we stumbled with this release of macOS.

When our security engineers became aware of the issue Tuesday
afternoon, we immediately began working on an update that
closes the security hole. This morning, as of 8 a.m., the
update is available for download, and starting later
today it will be automatically installed on all systems
running the latest version (10.13.1) of macOS High
Sierra. 

We greatly regret this error and we apologize to all Mac
users, both for releasing with this vulnerability and for the
concern it has caused. Our customers deserve better. We are
auditing our development processes to help prevent this
from happening again.

On Tuesday, a macOS 10.13.1 security issue was revealed—a flaw
that allows root access to a Mac without the need for a
password. Developer Lemi Orhan Ergin tweeted that anyone can log
into a Mac by entering the user name root without
a password. The first time you try to login, it won’t work. But
if you try it again, you will be granted access. Here’s Erign’s
tweet:

As Apple’s support document notes,
root is a “superuser” that grants access to areas
of the system that are often used by system administrators.

At Macworld, we tried it on our own MacBook Pro running macOS
10.13.1, and the root login worked. See the video below.

This issue seemed to work only after you are logged into a Mac
under a different user name. I wasn’t able to use
root and no password at the Mac’s user login
screen that appears at startup.

An Apple spokesperson sent Macworld the following statement:

We are working on a software update to address this issue. In
the meantime, setting a root password prevents unauthorized
access to your Mac. To enable the Root User and set a
password, please follow the instructions here: https://support.apple.com/en-us/HT204012. If a
Root User is already enabled, to ensure a blank password is not
set, please follow the instructions from the ‘Change the
root password’ section.

How to fix the root security issue

Apple has issued an OS X
10.13.1 Security Update
that patches the flaw. In the
description, Apple urges users to “Install this update as soon
as possible.”

However, while this patch will fix this issue, you’ll want to
change the password for root to protect
against future security issues. Here’s how to do that:

1. In the Finder, click on the Go menu and select Go to Folder.

finder go gotofolder.jog
IDG

2. Enter the following:
/System/Library/CoreServices/Applications/ and
then click Go.

go to core services IDG

3. Find the Directory Utility app and launch it.

directory utility icon
IDG

4. Click the lock in the lower left to make changes. In the
pop-up window, enter your user name and password, then click
Modify Configuration.

directory utility make changes
IDG

5. Click on Edit in the menu bar and select Change Root
Password.

6. In the pop-up window, enter a password and verify it. Click
OK.

root change password IDG

7. In the main window of Directory Utility, click the lock to
lock it and prevent further changes.

8. Quit Directory Utility. You are done.

If you try to enter root without a password at a
login prompt, the prompt will shake and reject your login.
You’ll need to enter your new password to gain
root access.

%d bloggers like this: