macOS High Sierra Root User Bug (How to Fix It)

23816-30517-23815-30506-Screen-Shot-2017-11-28-at-210527-l-l

Update: Apple has rolled out an inmergency patch (Security Update 2017-001) for the bug and all High Sierra users are recommended to install this update as soon as possible.

macOS High Sierra, Apple’s latest version of operating system for Mac computers, has been discovered to exist a critical flaw, which allows anyone to log in without a password to a Mac running High Sierra as a root user. Unbelievable? Lemi Orhan Emrin, a Turkish software engineer, first announced the bug in a tweet on Tuesday. That means attackers can easily gain root access to your Mac if he or she has physical access to your Mac or can get through via screen sharing, VNC, or remote desktop.

The flaw affects only Macs running High Sierra (macOS 10.13). Macs running Sierra or earlier versions of the OS did not appear to be not affected by the bug yet.

We have reproduced this bug on the testing machine. Here’s how it works: head to the System Preferences > Users & Groups, click the Lock button, enter the word “root” for the username when prompted, then leave the password field blank, and hit Unlock button repeatedly. After a few times of attempts, you will be be granted access.

Doing the steps above will create an account with super privileges, and you are suggested not to try out the bug on your Mac running High Sierra. Our tests indicate that this flaw can be exploited to alter a user’s system settings, including changing key security preferences like disabling the firewall or storage drive encryption. The “root” account can be used to look up passwords on the keychain access.

“We are working on a software update to address this issue,” an Apple spokesperson told iMore. “In the meantime, setting a root password prevents unauthorized access to your Mac. To enable the Root User and set a password, please follow the instructions here: https://support.apple.com/en-us/HT204012. If a Root User is already enabled, to ensure a blank password is not set, please follow the instructions from the ‘Change the root password’ section.”

Before Apple provides a update for this issue, you can do these steps to fix the bug:

  1. Launch Terminal from Spotlight, in Launchpad or via Finder.
  2. Type in e: sudo passwd -u root, and hit Enter/Return key.
  3. Enter and confirm the Root User Password for the new created account.

Note that disabling the Root User cannot fix the bug. That will reset the password to blank and allow the exploit to work again.

Share this news to anyone you know are currently running the High Sierra on their Macs.

 

 

Comments

Leave a reply

Name*

E-mail*

Website

RECENT POSTS

How can Add Twitter to Safari Sidebar

Nov 17,2016
Add Twitter to Safari Sidebar

How to transfer files between Android and Mac

Nov 23,2016
transfer files between Android and Mac

Microsoft Visual Studio for Mac released November

Nov 30,2016
Microsoft Visual Studio for Mac

How to Change the Default Web Browser Safari on Mac in A Few of Seconds

Dec 09,2016
change the default web browser on Mac

Note! Your Mac’s Camera Can Be Hacked

Dec 14,2016
Mac's Camera Can Be Hacked

ARCHIVES

CATEGORIES

TAGS

Android Apple Apple games Apple News+ Apple TV App Store camera security computer development Default Web Browser HomePod How to Enable/Disable Parental Controls on Mac iCloud Imported Images iOS iOS 11 iOS 12.2 iPad iPhone iPhone X Mac MacBooster macOS macOS High Sierra macOS Mojave MacOS Sierra Mac OS X Mail Filters Microsoft Microsoft Visual Studio Minecraft OS X OS X security Photos App Preview Release Date remove MacBooster Restore Closed Tabs Safari San Jose Software Time Machine transfer files Twitter uninstall app WWDC 2017

Copyright © 2024 HowtoRemoveApp.com