macOS High Sierra 'root' security bug: Here's how to fix it now!
Apple has just released a security update for macOS High Sierra that patches the "root" vulnerability dropped yesterday. While this bug should never have shipped, Apple's response to the problem and turn around time on the fix have been impressive and reassuring.
Apple sent me the following statement:
You can find the security update in Software Updates and if you're running macOS High Sierra, you should download and install it now, then make sure everyone you know does the same. If you don't, Apple will do it for you starting later today.
Here are the details on the patch, from Apple.com:
The original patch caused issues with files sharing so Apple has pushed out a new version, 17B1002, to correct the problem.
This is a zero-day exploit. Lemi Orhan Ergin tweeted to Apple's support account that he had discovered a way to log into a Mac running High Sierra by using the superuser "root" and then clicking the login button repeatedly. (Mac's running Sierra or earlier versions of the OS are not affected.)
Dear @AppleSupport, we noticed a *HUGE* security issue at MacOS High Sierra. Anyone can login as "root" with empty password after clicking on login button several times. Are you aware of it @Apple?Dear @AppleSupport, we noticed a *HUGE* security issue at MacOS High Sierra. Anyone can login as "root" with empty password after clicking on login button several times. Are you aware of it @Apple?— Lemi Orhan Ergin (@lemiorhan) November 28, 2017November 28, 2017
Ergin should absolutely have disclosed this to Apple and given the company a chance to patch it before it went public, and Apple should never have allowed the bug to ship, but none of that matters right now.
Master your iPhone in minutes
iMore offers spot-on advice and guidance from our team of experts, with decades of Apple device experience to lean on. Learn more with iMore!
Here's what's important: The "root" account allows super-user access to your system. It's supposed to be disabled by default on macOS. For whatever reason, it's not on High Sierra. Instead, "root" is enabled and currently allows access to anyone without a password.
For a basic explanation of what's causing the issue, see Objective See:
- For accounts that are disabled (i.e. don't have 'shadowhash' data) macOS will attempt to perform an upgrade
- During this upgrade, od_verify_crypt_password returns a non-zero value
- The user (or attacked) specified passwor is then 'upgraded' and saved for the account
So, anybody who has physical access to your Mac or can get through via screen sharing, VNC, or remote desktop, and enters "root" and hits login repeatedly, can gain complete access to the machine.
Apple sent me the following statement:
If you're comfortable with the command line, you can very quickly:
- Launch Terminal.
- Type: sudo passwd -u root.
- Enter and confirm your Root User Password. (Make it a strong, unique one!)
If not, you can use Open Directory Utility:
How to fix the root/ vulnerability on macOS High Sierra
- Click on Apple () at the far left of the menubar.
- Click on System Preferences.
- Click on Users and Groups.
- Click on the Lock (🔒) icon.
- Enter your Password.
- Click on Login Options.
- Click on Join or Edit.
- Click on Open Directory Utility.
- Click on the Lock (🔒) icon.
- Enter your Password.
- Click on Edit in the menubar.
- Click on Enable Root User.
- Enter and confirm your Root User Password. (Make it a strong, unique one!)
Do not disable the Root User. That just blanks the password and allows the exploit to work again.
FWIW, we, @danielpunkass, and @dmoren all confirmed that if you disable the root account, the flaw resets the password to blank again.FWIW, we, @danielpunkass, and @dmoren all confirmed that if you disable the root account, the flaw resets the password to blank again.— Dan Frakes (@DanFrakes) November 28, 2017November 28, 2017
Apple needs to fix this stat. In the meantime, share this information with everyone you know who uses a Mac on High Sierra and make sure they test and validate that "root" access is blocked before you let them resume their day.
Updated to include Apple's statement and Objective See's description of the problem.
Updated to include Apple's patch and statement on the patch.
Updated to include file sharing bug in the patch, and the updated patch to fix the file sharing bug.
Rene Ritchie is one of the most respected Apple analysts in the business, reaching a combined audience of over 40 million readers a month. His YouTube channel, Vector, has over 90 thousand subscribers and 14 million views and his podcasts, including Debug, have been downloaded over 20 million times. He also regularly co-hosts MacBreak Weekly for the TWiT network and co-hosted CES Live! and Talk Mobile. Based in Montreal, Rene is a former director of product marketing, web developer, and graphic designer. He's authored several books and appeared on numerous television and radio segments to discuss Apple and the technology industry. When not working, he likes to cook, grapple, and spend time with his friends and family.