- Apple released a fix for an embarrassing Mac bug on Wednesday.
- The bug would let anyone log into an up-to-date Mac with the username “root” and a blank password.
- The patch is available to download now and Apple said that the fix will be automatically installed on up-to-date Mac computers starting on Wednesday.
- Apple said in a statement: “We greatly regret this error and we apologize to all Mac users, both for releasing with this vulnerability and for the concern it has caused.”
The bug was blindingly simple: All someone had to do was put their username as “root” and leave the password blank on the right login screen on a Mac laptop or desktop running High Sierra, the most recent version of MacOS.
Apple apologized in a statement and said that the update will be “automatically installed” on all systems running the latest version of High Sierra starting on Wednesday, and is currently available for download from the Mac App Store.
“We greatly regret this error and we apologize to all Mac users, both for releasing with this vulnerability and for the concern it has caused. Our customers deserve better,” the Apple representative said in a statement.
People with Macs can update their operating system to fix the bug through the Mac App Store.
Security Update 2017-001 is now available for High Sierra, addressing the root login problem. https://t.co/I6B6V3waBX
— Ivan Krstić (@radian)
November 29, 2017
“An attacker may be able to bypass administrator authentication without supplying the administrator’s password,” the Apple security page reads.
“A logic error existed in the validation of credentials. This was addressed with improved credential validation,” it continued, confirming that only computers with MacOS High Sierra, the most recent software, was affected.
Here’s the full statement from Apple, provided to Business Insider by a representative:
“Security is a top priority for every Apple product, and regrettably we stumbled with this release of macOS.
When our security engineers became aware of the issue Tuesday afternoon, we immediately began working on an update that closes the security hole. This morning, as of 8 a.m., the update is available for download, and starting later today it will be automatically installed on all systems running the latest version (10.13.1) of macOS High Sierra.
We greatly regret this error and we apologize to all Mac users, both for releasing with this vulnerability and for the concern it has caused. Our customers deserve better. We are auditing our development processes to help prevent this from happening again.”
A very bad bug
One reason why Apple scrambled to fix the issue in about 24 hours is because the bug really does expose users to basically anything.
In Unix-based systems, like MacOS, “root” is the most privileged user, who has the power to change anything on the operating system.
“Once someone is logged into your Mac as root, they can do whatever they want, including accessing your files, installing spyware, you name it. So, in other words, if you were to leave your Mac unattended for 30 seconds, someone could backdoor it and have a very powerful way in later,” Mac security expert Thomas Reed wrote at Malware Bytes .
The ultimate cause of the bug became clearer on Wednesday as Patrick Wardle, Synack’s director of research, published a long, technical look at the vulnerability .
Essentially, Wardle found, is that the bug was a password setting issue for any disabled user, not just “root.”