Apple has provided a fix for an embarrassing security flaw afflicting Mac latop and desktop users running macOS High Sierra that allows anyone with physical access to a Mac to gain admin access without a password.
The issue came to light less than 24 hours previous, and was immediately flagged as one of the largest vulnerabilities to hit a major OS ever. Apple followed up shortly after it was revealed with a step-by-step guide for users to protect their Macs before the roll-out of a fix.
The flaw allows anyone to log into a Mac running High Sierra with the username ‘root’ and a blank password after clicking on the login button several times.
Many less-than-ideal hacking scenarios jump to mind immediately, but a few things that are possible with system administrator permissions include scanning through Key Vault passwords saved on the machine, deleting the entire system or adding a new user with admin permissions and removing the old user.
“We greatly regret this error and we apologize to all Mac users, both for releasing with this vulnerability and for the concern it has caused. Our customers deserve better. We are auditing our development processes to help prevent this from happening again." pic.twitter.com/I8U5q58SDw
— Rene Ritchie (@reneritchie) November 29, 2017
In a statement to press, Apple said: “We greatly regret this error and we apologize to all Mac users, both for releasing with this vulnerability and for the concern it has caused. Our customers deserve better. We are auditing our development processes to help prevent this from happening again.”
In a note about the security update, the company explained that “A logic error existed in the validation of credentials. This was addressed with improved credential validation.”
The update for the vulnerability became available for download through the Mac App Store on the morning of the 29th. Apple says that starting later in the day, it will automatically install on all systems running the latest version of macOS High Sierra (10.13.1).