How to Fix macOS High Sierra Root Security Bug

Apple has released an official fix for the issue through a security update. You can now install the update by launching the App Store app and then important on Updates. Click Command-R to reload the Updates page to see new updates. It will appear as “Security Update,” and you can tap on the Update button to install it. Your Mac does not have to restart. In this article, we are going to talk about How to Fix macOS High Sierra Root Bug. Let’s begin!

A Wired report states that users of macOS 10.13 High Sierra who installed the root security update will have to reinstall the update and also restart the Mac if the operating system is upgraded to macOS 10.13.1 High Sierra. Apple has details in a support document in order to see if the update has properly installed or not.

Apple has recently released a security update for macOS High Sierra that patches the “root” vulnerability dropped yesterday. However, this bug should never have shipped, Apple’s response to the problem and then turn around time on the fix has been impressive and reassuring as well.

High Sierra Root Security Bug

Apple sent me the following statement, have a look:

“Security is a top priority for every Apple product, and regrettably we stumbled with this release of macOS,” an Apple spokesperson told iMore.

When our security engineers became aware of the issue Tuesday afternoon, we immediately began working on an update that closes the security hole. This morning, as of 8:00 a.m., the update is available for download, and starting later today it will be automatically installed on all systems running the latest version (10.13.1) of macOS High Sierra.

We greatly regret this error and we apologize to all Mac users, both for releasing with this vulnerability and for the concern it has caused. Our customers deserve better. We are auditing our development processes to help prevent this from happening again.”

You can find the security update in Software Updates and if you are running macOS High Sierra, then you should download and install it right now. Also, make sure everyone you know does the same. If you do not, Apple will do it for you starting later today.

Apple Statement

Have a look on the details on the patch, from Apple.com:

Security Update 2017-001

Released November 29, 2017

Directory Utility

Available for: macOS High Sierra 10.13.1

Not impacted: macOS Sierra 10.12.6 and earlier

Impact: An attacker may be able to bypass administrator authentication without even supplying the administrator’s password

Further

This is a zero-day exploit. Lemi Orhan Ergin tweeted to Apple’s support account that he had find a way to log into a Mac running High Sierra through using the superuser “root” and then tapping the login button repeatedly. (Mac’s running Sierra or earlier versions of the OS are not affected.)

Ergin should absolutely have disclosed this to Apple and given the company a chance to patch it before it went public, and Apple should never have allowed the bug to ship, but none of that matters right now.

Here’s what’s important: The “root” account allows super-user access to your system. It’s supposed to be disabled by default on macOS. For whatever reason, it’s not on High Sierra. Instead, “root” is enabled and currently allows access to anyone without a password.

For a basic explanation of what’s actually causing the issue, see Objective See:

  • For accounts that are disabled (i.e. do not have ‘shadowhash’ data) macOS will attempt to perform an upgrade as well
  • Well, during this upgrade, od_verify_crypt_password returns a non-zero value
  • The user (or attacked) specified passwor is then ‘upgraded’ and also saved for the account

So, anybody who has physical access to your Mac or can get through the screen sharing, VNC, or remote desktop, and also enters “root”. And clicks login repeatedly can gain complete access to the machine.

Attachment

Apple sent me the following statement, have a look:

“We are working on a software update to address this issue,” an Apple spokesperson told iMore. “In the meantime, setting a root password prevents unauthorized access to your Mac. To enable the Root User and set a password, please follow the instructions here: https://support.apple.com/en-us/HT204012. If a Root User is already enabled, to ensure a blank password is not set, please follow the instructions from the ‘Change the root password’ section.”

If you are comfortable with the command line, then you can very quickly:

  • Open Terminal.
  • Then type sudo passwd -u root.
  • Enter and then confirm your Root User Password. (Make it a strong, and also unique one!)

If not, then you can use Open Directory Utility:

high sierra root

How to fix the root security bug

Apple has also issued an OS X 10.13.1 Security Update that patches the flaw. In the description, Apple urges its users to “Install this update as soon as possible.”

However, while this patch will fix this issue, you will have to change the password for root to protect against future security issues. Let’s see how you can do that:

Have a Look

  • First, tap on Apple () at the far left of the menubar.
  • Press on System Preferences.
  • Tap on Users and Groups.
  • Press on the Lock (🔒) icon.
  • Then enter your Password.
  • Press on Login Options.
  • Tap on Join or Edit.
  • Press on Open Directory Utility.
  • Tap on the Lock (🔒) icon.
  • Then enter your Password.
  • Now tap on Edit in the menubar.
  • Tap on Enable Root User.
  • Enter and then confirm your Root User Password. (Make it a strong, and also unique one!)

Keep that in mind, Do not disable the Root User. That just blanks the password and also allows the exploit to work again. If you try to enter root without a password at a login prompt, then the prompt will shake and reject your login. You will have to enter your new password in order to gain root access.

Apple has to fix this stat. In the meantime, share this information with everyone you know who uses a Mac on High Sierra and also make sure they test and validate that “root” access is blocked before you let them resume their day.

Conclusion

Alright, That was all Folks! I hope you guys like this article and also find it helpful to you. Give us your feedback on it. Also if you guys have further queries related to this article. Then let us know in the comments section below. We will get back to you shortly.

Have a Great Day!

Also See: Apple Watch GPS vs Cellular – What is the Difference

Add a Comment

Your email address will not be published. Required fields are marked *