A day after it was uncovered that macOS High Sierra had a security issue that enabled unapproved users to effortlessly log into a Mac with admin access, Apple now has released a patch for the bug.
Recently Twitter user Lemi Ergin openly uncovered that if a user sorts “root” into the User Name field that surfaces when making changes to System Preferences, and then hitting enter, the user will gain root-user access. They’ll additionally have the capacity to log into the Mac by going to “Other” at login and typing the “root” username again.
— Lemi Orhan Ergin (@lemiorhan) November 28, 2017
The security imperfection just exists on macOS 10.13.0 or later. Apple immediately distributed a workaround for preventing anybody from taking control of a Mac along these lines, and now the company has released an official patch in a security update (you can download it here). You should run the most recent version of High Sierra (10.13.1) for the patch to work.
The notes in the new security update say it specifically addresses the defect. With respect to the cause, the notes say, “a logic error existed in the validation of credentials. This was addressed with improved credential validation.”
An Apple representative told Mashable:
Security is a top priority for every Apple product, and regrettably we stumbled with this release of macOS.
When our security engineers became aware of the issue Tuesday afternoon, we immediately began working on an update that closes the security hole. This morning, as of 8 a.m., the update is available for download, and starting later today it will be automatically installed on all systems running the latest version (10.13.1) of macOS High Sierra.
We greatly regret this error and we apologize to all Mac users, both for releasing with this vulnerability and for the concern it has caused. Our customers deserve better. We are auditing our development processes to help prevent this from happening again.
Security issues and patches happen constantly, but it’s lately haunting Apple — the company as of late needed to patch a bug on iPhones that would substitute the letter “I” with an unusual “A[?]” character for a few users.