APPLE HAS RELEASED a fix for the 'devastating' macOS High Sierra bug that allowed anyone to gain root access without a password.
The fix, which arrives as 'Security Update 2017-001', is available to download from the Mac App Store now, and promised to plug the easy-to-exploit flaw. Apple has detailed the content of the update over on its Support website.
In a statement seen by Buzzfeed, the firm said: "Security is a top priority for every Apple product, and regrettably we stumbled with this release of macOS.
"When our security engineers became aware of the issue Tuesday afternoon, we immediately began working on an update that closes the security hole. This morning, as of 8:00 a.m., the update is available for download, and starting later today it will be automatically installed on all systems running the latest version (10.13.1) of macOS High Sierra.
"We greatly regret this error and we apologise to all Mac users, both for releasing with this vulnerability and for the concern it has caused. Our customers deserve better. We are authoring our development process to help prevent this from happening again."
The flaw, uncovered on Tuesday, let anyone gain admin rights on a macOS machine by typing "root" as the username in the authentication dialogue box, leaving the password fielding blank and clicking on the "unlock" button twice.
Yes, it's that easy.
This essentially means if you leave your Mac unattended, somebody, in theory, could wreak havoc on your machine by installing malware, deleting your Apple ID, looking up passwords on the keychain access or by even disabling FileVault.
Turkish developer Lemi Orhan Ergan outed the flaw on Twitter on Tuesday (below) but has since received criticism for the "irresponsible" way in which he did so.
You can access it via System Preferences>Users & Groups>Click the lock to make changes. Then use "root" with no password. And try it for several times. Result is unbelievable! pic.twitter.com/m11qrEvECs— Lemi Orhan Ergin (@lemiorhan) November 28, 2017
However, the bug was quietly discussed on Apple's developer forums two weeks ago, but virtually - including Apple - no one seemed to notice.
Ahead of the release of today's software update, Apple offered up a temporary workaround that requires setting up a root password.
"In the meantime, setting a root password prevents unauthorized access to your Mac," an Apple spokesperson said.
"To enable the Root User and set a password, please follow the instructions here: https://support.apple.
In a statement given to INQ, Tyler Moffitt, senior threat research analyst at Webroot described the flaw as "devastating", but noted that things could have been a lot worse.
"This is a very surprising bug that evaded the quality control on MacOS High Sierra. Apparently, this also works on FileVault in the MacOS which makes this bug quite devastating.
"The good news is that as of right now, there is not any mention of malware that leverages this security flaw.
"We can expect Apple to quickly release a fix for this vulnerability. In the meantime, impacted users with admin access should type the following command from the terminal: ‘$ sudo passwd root'. After typing the command, the user should enter his/her password then create a new password for the root user." µ
The IoT has gone unsecured for too long, says DCMS and NCSC
Mobile-friendly app will offer a 'desktop-class' experience
Alexa, show me half-arsed implementation
Samsung reportedly orders in 6.66in OLED panels