Apple rushes out fix for big macOS High Sierra security flaw

By

macOS update
A macOS update adds support for Messages in iCloud.
Photo: Ste Smith/Cult of Mac

Apple has rolled out a fix for a massive security flaw in macOS High Sierra.

The issue, disclosed on Tuesday, allows anyone to gain administrator access to your Mac without your login password. Apple asks users to install its latest update “as soon as possible.”

Apple prides itself on its software security, which makes this flaw even more surprising. Developer Lemi Orhan Ergin was first to spot it and post the details on Twitter.

Somehow, Apple made it so that anyone could gain administrator access to a Mac running High Sierra without the login name or password. It was as easy as entering “root” as the username and leaving the password field blank.

Get Apple’s latest macOS update now

Apple quickly published a support document that explained how to protect a Mac against the flaw, but it’s thought the company wasn’t even aware there was a problem before Ergin brought it to light.

Due to the severity of the issue, Apple has issued a fix within 24 hours. It’s available to download now from the Mac App Store, and Apple recommends, in bold letters, that it should be installed by all users “as soon as possible.”

Earlier versions of macOS are not affected by the problem.

In a statement provided to Daring Fireball, Apple says it regrets the error and apologizes to all Mac users.

Security is a top priority for every Apple product, and regrettably we stumbled with this release of macOS.

When our security engineers became aware of the issue Tuesday afternoon, we immediately began working on an update that closes the security hole. This morning, as of 8:00 a.m., the update is available for download, and starting later today it will be automatically installed on all systems running the latest version (10.13.1) of macOS High Sierra.

We greatly regret this error and we apologize to all Mac users, both for releasing with this vulnerability and for the concern it has caused. Our customers deserve better. We are auditing our development processes to help prevent this from happening again.