Thursday, 14 December 2017
Latest news
Main » How to fix the massive macOS root security bug

How to fix the massive macOS root security bug

29 November 2017

Note that disabling the root user does not fix this, as you'll still be able to bypass it. You really shouldn't leave your Mac unattended at all until Apple fixes this, and you should shut off guest access for your device.

Choose Edit Change Root Password and enter a new, non-trivial password. An intruder can also apparently access machines remotely when Remote Manager is enabled through Apple Remote Desktop or screensharing.app, according to some accounts. Basically, if you open System Preferences and then navigate to Users and Groups, you can easily gain access to make changes to any account on that machine. If you have FileVault enabled, you're in better shape, since High Sierra won't let someone log into the root account at the login window.

In the dialog that pops up, click on open directory utility, and from the tool's menubar, select the edit item, and then change root password.

International Business Times was able to successfully replicate the issue on a MacBook Air and a MacBook Pro, both running version 10.13.1 of MacOS High Sierra.

Minister Susan Shabangu Congratulates Demi-Leigh Nel-Peters for Winning Miss Universe
Nels-Peters was considered a frontrunner for the title after also being crowned Miss South Africa 2017 earlier this year. On Sunday, he poked fun at his mistake throughout the night. "Let us celebrate this great victory of our nation".

The vulnerability was publicly disclosed on Twitter this afternoon; it's not clear whether the problem was privately reported to Apple ahead of time, which is the encouraged practice when security vulnerabilities are uncovered.

This flaw is significant but the risk to most users is quite low. We've reached out to Apple for comment and will update it we hear back. However, there is a workaround that will provide users with some additional security to prevent against unauthorized logins: users can enable a root account that requires a password to gain access.

Enter Directory Utility and press Return to launch it. This will prompt for a password for the Root user account. Yes, using root with no password works here too.

How to fix the massive macOS root security bug