With great apology, Apple has rushed to respond to the appalling macOS High Sierra security flaw, issuing a software update that has been made immediately available for download and will be automatically installed in existing Macs.
‘We greatly regret’
Apple has shared the following statement:
linenums”Security is a top priority for every Apple product, and regrettably we stumbled with this release of macOS.
linenums “When our security engineers became aware of the issue Tuesday afternoon, we immediately began working on an update that closes the security hole. This morning, as of 8:00 a.m., the update is available for download, and starting later today it will be automatically installed on all systems running the latest version (10.13.1) of macOS High Sierra.
linenums “We greatly regret this error and we apologize to all Mac users, both for releasing with this vulnerability and for the concern it has caused. Our customers deserve better. We are auditing our development processes to help prevent this from happening again.”
What’s the problem?
The flaw meant that anyone with physical access to a Mac could open the system in root mode just by typing the word root and leaving the password field blank, as explained here.
“Impact: An attacker may be able to bypass administrator authentication without supplying the administrator’s password
Description: A logic error existed in the validation of credentials. This was addressed with improved credential validation.”
What is important to note is that once this update is installed on your Mac you will need to re-enable the root user. That’s probably not going to bother most Mac users, but may be significant to those system administrators in some deployments.
“If you require the root user account on your Mac, you will need to re-enable the root user and change the root user’s password after this update,” Apple warns.
About this patch
Apple deserves some praise for reacting to the flaw so swiftly.
While the problem should never have existed, the company has certainly acted fast, apologized and shown just how seriously it takes this problem.
You can tell the company takes this very seriously as it has chosen to use its capacity to automatically update Macs.
This is only the second time the company has chosen to do this, the first was way back in 2014 when it chose to use an automatic security update mechanism to deploy a fix for a critical vulnerability in NTP, or Network Time Protocol.
Apple at that time said the issue was sufficiently severe that it wanted to act fast to protect its customers.
While I still think that the existence of the latest, quickly-patched flaw was not up to Apple’s standard, the speed with which the company has issued this patch shows just how much more focused the company can be on security than some competitors.
I advice all Mac users to update the OS immediately.
Google+? If you use social media and happen to be a Google+ user, why not join AppleHolic’s Kool Aid Corner community and get involved with the conversation as we pursue the spirit of the New Model Apple?
Got a story? Please drop me a line via Twitter and let me know. I’d like it if you chose to follow me there so I can let you know about new articles I publish and reports I find.