New Flaw in macOS High Sierra Allows Anyone Easy Login Access

A Turkey-based software developer alerted Apple of a bug that allows malicious actors to bypass the security of the macOS High Sierra 10.13 operating system and take full control of the computer. Apple has released a workaround and is currently working on a full patch. Mac users are advised not to leave their computers unattended to avoid potential compromise.

The bug can be triggered when hitting a prompt in High Sierra that asks for a username and password before logging into a machine with multiple users. Typing "root" as a username, leaving the password field blank, and clicking "unlock" twice is enough to give an unauthorized party full access to a Mac computer. The abovementioned information about the bug became publicly available in the Apple Developers Forum two weeks ago.

A malware designed to exploit the flaw could also install itself on the computer without requiring a password. This latest flaw in High Sierra can allow malicious actors to add administrators, change critical settings, lock out the Mac owner, and risk private user data. Macs with remote desktop access enabled can also be used to gain admin access via this vulnerability.

Apple confirmed the security issue and provided a quick workaround, with a long-term patch already in the works. "We are working on a software update to address this issue," a spokesperson from the tech giant said.

In October, the macOS High Sierra 10.13 operating system already had a slew of patched bugs, which included another easy-to-exploit vulnerability that leaks a user’s password. Earlier versions of the OS was also seen ruining hard drives in iMacs, and rendering kernel-level security protections useless due to weak code implementation.

Mitigation

Apple published guidelines on how to keep malicious actors from exploiting the flaw by enabling the root account and setting a password for it. While there is an option to disable the root user, it is recommended not to do so before it's patched. Enabling the root user only to disable it afterwards will make the efforts of combating the threat futile, since the flaw that exists in High Sierra will make the computer vulnerable again when the root user is disabled.

To change the root password, users can navigate Users & Groups (or Accounts) under System Preferences. Because of the greater privileges the root user has, users are advised to make their passwords unique and complex.

Updated November 29, 2017 10:00 PM

Apple has released a patch to address this vulnerability. All users of macOS High Sierra 10.13 are encouraged to immediately update.

HIDE

Like it? Add this infographic to your site:
1. Click on the box below.   2. Press Ctrl+A to select all.   3. Press Ctrl+C to copy.   4. Paste the code into your page (Ctrl+V).

Image will appear the same size as you see above.