This week a vulnerability in Apple’s OS X “High Sierra” operating system was revealed to the public.
It’s bad. Very bad.
The vulnerability essentially allowed anyone with physical access to your Mac the ability to log in as the “Root” user, without entering a password, from the login screen. Once you’re logged on as Root, you have the ability to do essentially anything you want with the machine.
If the Root user was already enabled with a password, then the vulnerability was thwarted. But most of the casual Mac users I know don’t enable the Root account.
Today (November 29, 2017) Apple released “Security Update 2017-001” to fix the vulnerability. Apple’s recommendation is, “Install this update as soon as possible”. Apple’s security bulletin can be found here.
- This update and vulnerability only exists in High Sierra. Earlier operating systems aren’t affected.
- If you require the Root account on your machine (as I do), and have it enabled, once you install this update you’ll have to re-enable the Root account and change the password.