Apple fixes root password bug: ‘Install this update as soon as possible’

Well, that was fun while it lasted…

Graham Cluley
Graham Cluley
@

 @grahamcluley.com
 @[email protected]

Install this update as soon as possible

Well, to their credit, it didn’t take Apple long to fix their horrendous bug that allowed *anyone* to log into computers running macOS High Sierra with admin rights, without needing to know a password.

The security update – which Apple advises should be installed “as soon as possible” – is being pushed out via the Mac App Store.

Here is how Apple is describing the vulnerability:

Sign up to our free newsletter.
Security news, advice, and tips.

Directory Utility

Available for: macOS High Sierra 10.13.1

Not impacted: macOS Sierra 10.12.6 and earlier

Impact: An attacker may be able to bypass administrator authentication without supplying the administrator’s password

Description: A logic error existed in the validation of credentials. This was addressed with improved credential validation.

CVE-2017-13872

AppstoreTo install the security update, simply open Mac App Store and click on the “Updates” tab. All you have to do then is click on “Update”, and you’ll be sorted.

Kudos to Apple for readying a fix so quickly, but a security hole as big as this should never have got past quality control in the first place.

For more discussion on this topic, be sure to listen to this episode of the Smashing Security podcast:

Smashing Security #054: 'A great big fat macOS bug'

Listen on Apple Podcasts | Spotify | Pocket Casts | Other... | RSS
More episodes...


Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "The AI Fix" and "Smashing Security" podcasts. Follow him on Bluesky, Mastodon, and Threads, or drop him an email.

4 comments on “Apple fixes root password bug: ‘Install this update as soon as possible’”

  1. AJC

    Clearly the Apple chimpanzees were concentrating too much on their latest Shakespearean pastiche!

  2. BillBlagger

    Appears the 'fix' breaks file sharing for some
    https://www.theguardian.com/technology/2017/nov/30/apple-macos-high-sierra-fix-breaks-file-sharing-password-security-flaw-emergency-patch

  3. Kevin H

    I don't see how what is described is possible because when you try to log in to a locked mac you cannot enter an arbitrary username – you have to click on an icon for a username. If you have enabled the root user then you get an "other" icon to click on and then you can enter username/password, but if the root user is disabled then you don't get that option. I tried all kinds of things but was unable to get the login prompt for a username. Did I miss something?

    1. Graham CluleyGraham Cluley · in reply to Kevin H

      If you're not seeing it at the login prompt then just wait until you try to do something which requires elevated privileges after you've logged in. For instance, tinkering with preferences or installing an application.

      At that point you're asked to enter credentials with admin privileges and this "root" trick could have been used.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.