Apple issues macOS High Sierra update to fix password-less root vulnerability

Apple on Wednesday released a special security update for macOS High Sierra, solving a recently uncovered flaw which would let people gain root access without entering a password.

The patch, Security Update 2017-001, should be available through the Updates tab in the Mac App Store. After installation, the build number of High Sierra will be 17B1002.

Apple notes that if people require a root user account on their Mac, they can create one and assign a password through System Preferences.

The vulnerability was first exposed on Tuesday. Within hours, Apple was already promising an update, though it didn't provide an exact timeline.

Apple also issued a statement to The Loop on the misstep:

Security is a top priority for every Apple product, and regrettably we stumbled with this release of macOS.
When our security engineers became aware of the issue Tuesday afternoon, we immediately began working on an update that closes the security hole. This morning, as of 8 a.m., the update is available for download, and starting later today it will be automatically installed on all systems running the latest version (10.13.1) of macOS High Sierra.
We greatly regret this error and we apologize to all Mac users, both for releasing with this vulnerability and for the concern it has caused. Our customers deserve better. We are auditing our development processes to help prevent this from happening again.

55 Comments

MacPro 18 Years · 19845 comments

About 7 years ago

That was fast! Well done Apple.

bloodshotrollin'red 16 Years · 437 comments

Unless already baked in, this security update patch is not available if using the current 10.13.2 Beta (17C83a) build.

philboogie 15 Years · 7669 comments

Ok to use black as the password user root?

We greatly regret this error and we apologise to all Mac users, both for releasing with this vulnerability and for the concern it has caused. Our customers deserve better. We are auditing our development processes to help prevent this from happening again.

Nice to know, Apple. However, with the best will and intentions in the world, this type of security error will occur again.

The seriousness with which you have audited release iterations these past few years (being the exact opposite approach of best practice from Google and Microsoft) is why I have stayed loyal to the marque.

randominternetperson 8 Years · 3101 comments

I'm impressed. I wouldn't have thought it possible to push out of fix to users within (essentially) 24 hours of being notified of the vulnerability. Perhaps you have to be in IT and have some experience with release management to appreciate how exceptional this type of turnaround is. More than a people at 1 Infinite Loop and/or Apple Park didn't get any sleep last night.