On November 29, Apple released Security Update 2017-001. While it may look like a minor update, it fixes a major vulnerability in Apple’s macOS High Sierra 10.13.1 and 10.13.2. Anyone using a Mac who has upgraded to the latest version of macOS should immediately install this update via the App Store.
Unix’s root Account
Apple’s operating system, macOS, is based on a flavor of Unix called BSD. Unix is a very stable and secure operating system that has been used for years in corporate computing environments. Because macOS is based on BSD Unix, Macs tend to be very stable with a reputation for security.
In the Unix world, including macOS, there is what’s called the “root” account. Similar to a Windows “Administrator” account that most people are familiar with, root is the most powerful account in Unix. Having root access gives that user complete control of the entire system.
macOS root Account Vulnerability
On November 29, reports began circulating about this new vulnerability in Apple’s macOS High Sierra 10.13.1 and 10.13.2 that would allow a root account to be created without requiring a password.
According to the New Jersey Cybersecurity & Communications Integration Cell: “This unprotected root account could then be accessed by a threat actor, either locally or remotely, and used to gain full control over the system. Remote access services such as Virtual Network Computing (VNC), Remote Desktop Protocol (RDP), and screen sharing could be used to exploit this vulnerability on affected macOS systems.” (Source: CYBER ALERT | November 29, 2017)
Easily Install Security Update 2017-001
Fortunately, Apple acted quickly and released Security Update 2017-001. All Mac users should immediately install this update, which only takes a few moments and doesn’t require a reboot. Now that this vulnerability is well known, there is a window of time when unpatched systems are especially vulnerable.
If you are reading this blog on a Mac running macOS High Sierra: Take a few moments right now to open the App Store and install Security Update 2017-001. Doing so will protect your system from this potentially serious security vulnerability. We also want to commend Apple for acting quickly on pushing out this fix.