Apple has rushed out a patch to fix a major security flaw that allowed anyone to easily gain full admin access.
The macOS High Sierra bug allowed anyone with physical access to an installed Mac, to gain full admin control with the username ‘root,’ and no password.
While the bug only worked within certain Sierra interface screens, such as ‘Preferences,’ and certain other locations, once logged in, the same combination could then be used to bypass the lock screen of Macs running the latest operating system from Apple.
My name is (G)Root
As long as someone had actual physical access to the keyboard on a Mac, they could login as an administrator merely by entering the username “root,’ pressing enter a few times, and gain full system access, without the need for a password.
Spotted weeks ago
The security flaw, was originally discovered a few weeks ago by a software engineer called Lemi Orhan Ergin, and then disclosed in an Apple developer support forum. Ergin claimed that the bug would allow anyone with access to your Mac computer to gain full, administrative access in a number of seconds.
Customers deserve better
Apple’s official statement on the debacle stated: “We greatly regret this error and we apologise to all Mac users, both for releasing with this vulnerability and for the concern it has caused… Our customers deserve better.
“We are auditing our development processes to help prevent this from happening again.”
Sloppy
Apple has previously admitted that it had “stumbled” with the release of High Sierra and this latest incident has left some asking is the tech giant, once renowned for the quality of its ecosystem and release execution, now getting sloppy?
While the bug only works within certain Sierra interface screens, such as ‘Preferences,’ and certain other locations, once logged in, the same combination can then be used to bypass the lock screen of Macs running the latest operating system from Apple.
My name is (G)Root
As long as someone has actual physical access to the keyboard on a Mac, they can login as an administrator merely by entering the username “root,’ pressing enter a few times, and gain full system access, without the need for a password.
The security flaw, was originally discovered a few weeks ago by a software engineer by the name of Lemi Orhan Ergin, and then disclosed in an Apple developer support forum. Ergin claimed that the bug would allow anyone with access to your Mac computer to gain full, administrative access in a number of seconds.
Apple have so far not confirmed or denied if it knew about the flaw before Ergin made the news public.“We are working on a software update to address this issue,” Apple said in a statement.
Workaround
Until Apple manage to release a fix, users can prevent issues with access by enabling a root account with a password to prevent the bug from working.
For those who don’t feel comfortable enough to make that change themselves, the best advice is to not let your Mac out of your sight,and be sure to apply the system update when the fix is released.