Huge security bug in macOS High Sierra

28 November 2017

A vulnerability was found earlier today which gives anyone full access to your computer without them having your username or password.

This applies to Macs running macOS 10.13 High Sierra – the latest version of macOS. In short, anyone can walk up to your computer, type in their username as “root” with no password, and they will automatically be logged in.

It works on the login screen as well as any prompt in the system which requests your username and password.

The “root” user is sometimes referred to as the superuser as it is allowed to do almost anything at all on your computer, totally unhindered. In terms of gaining unauthorised access to a computer system, “root” is the Holy Grail.

Some people are saying that this is a local vulnerability, meaning someone needs to have physical access to your computer to be able to exploit it, but it’s not. This also works with Screen Sharing.

This is a big security issue, and if you have a Mac running macOS 10.13, you need to take action.

Apple has said that a fix is in the works, but they haven’t announced when it will become available.

Until then, we have a workaround with a few simple steps that we strongly urge you to follow.

  1. Click the Spotlight icon at the top of your screen (it looks like a magnifying glass)
  2. Type “Directory Utility”
  3. Open the Directory Utility app that shows up in the list.
  4. Click the lock in the lower left corner and enter your name and password
  5. Click the “Edit” menu and choose “Enable root user” (this may show as “Change root password”)
  6. Enter a really strong password, one which you haven’t used anywhere else for anything.
  7. Click OK.

Please don’t delay. Do this now, and let everyone else know to do it too.

Update:

Apple has now released a fix for this issue; labelled Security Update 2017-001, it is available via the Updates section in the App Store. They also earmarked it as a Critical Update, meaning it will be automatically installed on all systems running the latest version (10.13.1) of macOS High Sierra.