Apple says fix incoming for macOS High Sierra root access bug

In identical statements to The Loop's Jim Dalrymple and iMore's Rene Ritchie, Apple says it is crafting a patch for a major macOS High Sierra security hole that grants root level access to a logged-in Mac.

"We are working on a software update to address this issue," Apple said. "In the meantime, setting a root password prevents unauthorized access to your Mac. To enable the Root User and set a password, please follow the instructions here: https://support.apple.com/en-us/HT204012. If a Root User is already enabled, to ensure a black [sic] password is not set, please follow the instructions from the 'Change the root password' section."

Discovered earlier today, the flaw allows anyone to log in under a Mac's "root" System Administrator without the need for a password. In practice, the exploit merely requires access to System Preferences, and can be performed in a matter of seconds. Nefarious users can also exploit the bug to bypass a Mac's lock screen.

Beyond those who have direct access to a vulnerable Mac, the security hole also works remotely in certain scenarios where screen sharing, remote access or VNC sessions are enabled. Users should disable those features until Apple's update arrives.

As AppleInsider reported when the vulnerability was first aired today, macOS High Sierra users can prevent unauthorized Mac access by disabling the Root User under System Preferences. Alternatively, and as Apple suggests, users can enable the Root account and set a password.

Apple failed to provide a release timeline, but considering the bug impacts system-level directories and is relatively easy to exploit, a software update should be out soon.