How to fix the massive macOS root security bug

29 November, 2017, 01:24 | Author: Carmen Reese
  • Apple working on fix for MacOS bug

There seems to be a major flaw in Apple's macOS High Sierra operating system that allows anyone to log into a machine and gain system administrator access without so much as entering a password.

Apple has said it's working on a fix, so setting a root password should be sufficient protection for now.

Although Apple does run a bug bounty program, offering rewards of up to US$200,000, it's invitation only unlike the wide open programs run by Microsoft, Google and others.

Enter "root" again with no password.

Soon after Ergin's tweet, a flood of security researchers and writers confirmed the bug works as described - whether attempting to access an administrator's account on an unlocked Mac, or trying to gain access via the login screen of a locked Mac.

More news: Miss South Africa is Miss Universe 2017

That's the bad news.

Once someone has root access, there's basically no limitations to what they can do. An intruder can also apparently access machines remotely when Remote Manager is enabled through Apple Remote Desktop or screensharing.app, according to some accounts. The bug is present in MacOS High Sierra 10.13.1, the current version released to users, and the macOS 10.13.2 beta that is still being tested. That's all it takes to log in to a MacBook with High Sierra onboard. We have confirmed this method fixes the vulnerability. So, keep the account enabled and set a root password right now.

Go to System Preferences then click Users & Groups (or Accounts).

Click the lock in the corner. You can do this from the user login screen. Then select "Change Root Password..." and choose a strong password, something with many letters and characters that can't be guessed. In another lapse, Directory Utility lets you set the root password to blank - just leave both fields empty and click OK.

Who is affected by High Sierra "root" bug?

Recommended:



Popular

Samsung Galaxy J5 Prime (2017) Receives FCC Certification, Hinting Imminent Launch
Rumors says that the Samsung Galaxy S9 will feature a single camera while the Galaxy S9 Plus will come with dual camera setup. The Galaxy S9 might make an appearance in early January, but the full-fledged launch is thought to be several months away.

Trump Disparages Elizabeth Warren With 'Pocahontas' Remark During Ceremony Honoring Native Americans
In the space of 19 seconds, he managed to be both condescending and racist toward Native Americans. Warren responded to the president, calling the comments a "racial slur".

Jose Mourinho expects another tough test from Watford
They can not afford to lose any more ground at least until they face the league-leaders themselves at home in two weeks' time. Richarlison is one of the most in-form players in the league amassing 5 goals and 3 assists for the Hornets already.

Man Shot at Arlington Mall After Pulling Out Fake Gun
Arlington police are investigating after an officer-involved shooting Sunday evening inside The Parks Mall at Arlington. Cook said the police are working with the District Attorney's office to file the appropriate charges against Dodd.

U.S. gun background checks hit new record on Black Friday
The objective of the review is to determine why necessary information was not being properly reported to the NICS database . The record before that had also been set on Black Friday , 2015, when there were 185,345 checks.

Dastgir leaves for Riyadh today
The defense ministers of all 41 IMCTC members are expected to attend the meeting, which has the theme "Allied Against Terrorism". The alliance groups largely, although not exclusively, Sunni-majority or Sunni-ruled countries.

Hadiya is mentally disturbed, says family
In Delhi she will be put up at the Kerala House, where four rooms have been booked for the party from Kerala. "I want justice. Hadiya, whose original name was Akhila Ashokan, had married Jahan after she met him on an Islamic matrimonial site.

Bavaria boss supports SPD tie-up deal as pressure for coalition rises
Mrs Merkel's change of mind comes as a recent poll revealed almost two-thirds of Germans would back another general election.

Bali volcano erupts for second time
Bali is a major tourist hub and its airport is operating normally, but some airlines have made a decision to cancel their flights. Indonesia lies on the Pacific "Ring of Fire", where tectonic plates crash, which causes frequent volcanic and seismic activity.

Saudis say they will reopen Yemen's main airport, port for humanitarian aid
Aid shipments were awaiting delivery for several days in advance, after Saudi leaders agreed on Wednesday to lift the blockade. FILE PHOTO: A malnourished boy lies on a bed at a malnutrition treatment center in Sanaa, Yemen November 21, 2017.