Apple issues macOS High Sierra update to fix password-less root vulnerability

By Roger Fingas

Apple on Wednesday released a special security update for macOS High Sierra, solving a recently uncovered flaw which would let people gain root access without entering a password.

The patch, Security Update 2017-001, should be available through the Updates tab in the Mac App Store. After installation, the build number of High Sierra will be 17B1002.

Apple notes that if people require a root user account on their Mac, they can create one and assign a password through System Preferences.

The vulnerability was first exposed on Tuesday. Within hours, Apple was already promising an update, though it didn't provide an exact timeline.

Apple also issued a statement to The Loop on the misstep:

Security is a top priority for every Apple product, and regrettably we stumbled with this release of macOS.

When our security engineers became aware of the issue Tuesday afternoon, we immediately began working on an update that closes the security hole. This morning, as of 8 a.m., the update is available for download, and starting later today it will be automatically installed on all systems running the latest version (10.13.1) of macOS High Sierra.

We greatly regret this error and we apologize to all Mac users, both for releasing with this vulnerability and for the concern it has caused. Our customers deserve better. We are auditing our development processes to help prevent this from happening again.