macOS High Sierra security update fixes the root bug

by Olivia Morelli - - 2017-11-30

Apple released a security update for macOS High Sierra to fix root bug

Apple didn’t take long to fix a major security vulnerability detected in macOS High Sierra that allowed getting admin access to the computer without a password. The issue was reported on 28th of November.^[1] One day later, Apple released a Security Update 2017-001^[2] which fixes the flaw.

macOS High Sierra 10.13 and macOS High Sierra 10.13.1 users can already download the update manually from Mac App Store. Apple starts an automatic installation of the security patch soon too.

The release of the update was followed by company’s apology for putting user’s in danger:

“We greatly regret this error and we apologize to all Mac users, both for releasing with this vulnerability and for the concern it has caused. Our customers deserve better. We are auditing our development processes to help prevent this from happening again.”

However, the company did not address and fix the bug in macOS High Sierra 10.13.2 which is currently available for the developers and public beta testers.

Software developer reported about the macOS High Sierra bug on Twitter

Developer Lemi Orhan Ergin was the one who spoke up about the issue with a root user on Twitter.^[3] Anyone who got physical access to the Mac computer could get System Administrator access without a password. The flaw allowed only typing “root” as username, keeping the password form empty and clicking unlock button two times.

Simple as that anyone who had physical access to Mac computer could get access to it, change passwords or obtain other sensitive information stored on the device.

However, he was not the only one who found the flaw. The same issue was discussed in Apple developers forums a few weeks ago. However, the company did not pay attention to it. Ergin’s post on Twitter received lots of feedback. He was criticized for reporting the issue on the social network instead of contacting Apple directly.

Despite the harsh discussions in his profile, the problem was solved. The publicity helped, and Apple fixed the flaw immediately.

The bug is fixed, but new error emerges

Nevertheless, the major security bug in macOS High Sierra is fixed; the same update caused new problems for some Mac users.^[4] Users reported that Security Update 2017-001 broke file-sharing feature. Problems might occur when macOS High Sierra 10.13.1 users try to authenticate or connect to file shares.

Fortunately, Apple quickly offered a solution to the problem.^[5] Thus, if you encountered the same issue after the update, follow these steps to fix it:

Open Applications folder, go to Utilities folder and Open Terminal.
In the Terminal type this command: sudo /usr/libexec/configureLocalKDC.
Press Return.
Type your administrator password.
Press Return.
Quit the Terminal app.

About the author

Olivia Morelli - Ransomware analyst

Olivia Morelli is News Editor at 2-Spyware.com. She covers topics such as computer protection, latest malware trends, software vulnerabilities, data breaches, and more.

Contact Olivia Morelli
About the company Esolutions

References

^ Linas Kiguolis. MacOS High Sierra Bug Grants Admin Access to Your Mac: How to Fix It?. Ugetfix. How to fix a computer.
^ About the security content of Security Update 2017-001. Apple Support. The official Apple Support website.
^ Lemi Orhan Ergin tweet about macOS security flaw. Twitter. The social network.
^ Chance Miller. PSA: Today’s macOS security update breaks file sharing for some users, here’s how to fix. 9to5Mac.News and reviews for Apple products, apps, and rumors.
^ Repair file sharing after Security Update 2017-001 for macOS High Sierra 10.13.1. Apple Support. The official Apple Support website.