How to address Apple’s severe High Sierra ‘root’ flaw
An Apple vulnerability that allowed anybody to access a Mac running the latest version of its operating system became widely known on Tuesday. Although Apple fixed the problem, the severity of the bug worries independent security researchers.
As it released a security patch on Wednesday, Apple recommended that all Mac users install the update to close the vulnerability.
“We greatly regret this error, and we apologize to all Mac users, both for releasing with this vulnerability and for the concern it has caused,” Apple said in a statement. “We are auditing our development processes to help prevent this from happening again.”
Apple did not return a request for comment.
The flaw, first reported on November 13 in Apple’s developer forums and subsequently publicly reported to Apple via Twitter by a Turkish software engineer, allows anybody with physical access to a computer running Mac OS X 10.13 High Sierra to unlock it and gain privileged administrator rights. Someone could do this by using a default method Apple accidentally introduced in the operating system, which it released to the public on September 25.
To unlock and gain unrestricted access to programs, files, and settings on a Mac running High Sierra prior to patching, someone could simply enter the word “root” as the username. (No password necessary.)
The root account, which is disabled by default in older versions of Mac OS X, “fundamentally breaks basic security” for Macs running High Sierra, says Patrick Wardle, chief security researcher at Synack and known for his expertise in Apple products.
Brandon Creighton, another well-known security researcher, tweeted that he was able to exploit the root flaw remotely, meaning that a hacker wouldn’t have to be sitting in front of the Mac to unlock it.
macos 10.13 bug isn’t limited to root in all circumstances; via ARD, you can log in as any existing user (e.g. _applepay) and share the screen of the logged-in user. also _uucp is allowed to log in
— cstone (@unsynchronized) November 28, 2017
If you are unable to install Apple’s patch, you can still secure your Mac from unauthorized root access.
Step 1: Go to System Preferences, then Users and Groups, then Login Options
Step 2: Next to Network Account Server, click on Join
Step 3: Choose Open Directory Utility and click the lock. Enter your password to make changes
Step 4: Select Change Root Password from the menu bar
Step 5: Create a strong, unique password that’s easy to remember but hard for machines to guess—ideally, a phrase with some unique characters and spaces.
Although Apple responded quickly with an acknowledgement and patch, once the flaw was public, people shouldn’t overlook the fact that the flaw—simple, widespread, and severe—had been available to hackers for at least for two weeks beforehand, Wardle says.
To prevent simple but critical flaws like this from being introduced, Wardle says, Apple should offer independent researchers a bug bounty for Macs. It already has one for iPhones.
“Recently, we’ve seen missteps by Apple, mostly in High Sierra,” he says. And this particular misstep was “about as easy as it gets…[The exploit] works 100 percent of the time, and it’s very stable. Malware writers love this because it’s so stable.”