Programming Note: This site will be on break through the holidays and return in January. Be sure to subscribe or check back for updates!

Snippet: Major macOS High Sierra Bug Allows Full Admin Access Without Password ☇

Shared on November 29, 2017

Juli Clover for MacRumors:

There appears to be a serious bug in macOS High Sierra that enables the root superuser on a Mac with a blank password and no security check.

The bug, discovered by developer Lemi Ergin, lets anyone log into an admin account using the username “root” with no password. This works when attempting to access an administrator’s account on an unlocked Mac, and it also provides access at the login screen of a locked Mac.

This bug is particularly concerning and I’m really curious how this happened. I’m baffled that this made it in the wild and it not only needs to be fixed immediately. In the meantime, Apple has posted a fix, which is to enable the root account and set a password.

Update: It’s been patched, so you can go grab the update and install without even restarting. Furthermore, John Gruber shares word from an Apple spokesperson and summarizes the situation nicely:

Security is a top priority for every Apple product, and regrettably we stumbled with this release of macOS.

When our security engineers became aware of the issue Tuesday afternoon, we immediately began working on an update that closes the security hole. This morning, as of 8:00 a.m., the update is available for download, and starting later today it will be automatically installed on all systems running the latest version (10.13.1) of macOS High Sierra.

We greatly regret this error and we apologize to all Mac users, both for releasing with this vulnerability and for the concern it has caused. Our customers deserve better. We are auditing our development processes to help prevent this from happening again.

Quick turnaround, and a strong apology. The bug never should have happened, but given that it did, you couldn’t ask for a better, faster response. To my memory, this is only the second time Apple has used MacOS’s automatic — that is to say, non-optional — update mechanism. The other was the NTP Security Update in 2014, that affected Mac OS X 10.8 through 10.10.

Snippets are posts that share a linked item with a bit of commentary.