Users of Apple Mac computers running the High Sierra version of MacOS have been urged to update their operating system immediately with a high priority security patch that fixes a glaring software vulnerability.
When it comes to vulnerabilities, they can often be relatively minor (like flaws that would only effect a few users with a very specific system setup and could only be exploited by technically apt crooks) or they could be major (where they effect lots of users and could be exploited by almost anyone.) This vulnerability falls into the second category.
Security researchers have discovered a significant vulnerability in MacOS High Sierra that could allow anyone to bypass the username and password prompt, with absolutely no technical know-how at all.
The vulnerability would allow anyone to bypass the password prompt by simply typing in “root” into the username box, leave the password box blank and hit Unlock several times. That was all that was required to get past the password prompt. (root refers to the highest possible privileges a user can have. A root user is like a super-admin user.)
Researchers originally used the vulnerability to access the password-protected administrative system settings not normally accessible to standard accounts on an Apple machine. However the vulnerability would also allow anyone to unlock a password protected Apple machine after it was rebooted.
This is a significant vulnerability. Not only because it allows almost anyone without any technical background to potentially gain unauthorised root access to a Apple Mac, but because malware strains could potentially incorporate this massive flaw to gain full control of any Apple Mac it infected.
Apple initially advised users to set up a root user password to protect themselves from the flaw (the root account on an Apple computer is disabled by default since it allows users to potentially cause damage to their machine.) However they have since released an update which they advise any user using the High Sierra operating system to install straight away.
High Sierra’s “root” bug was first revealed by Turkish software developer Lemi Orhan Ergin, who claimed his colleagues found the bug when helping a client regain access to their computer.
Apple have described the bug as…
A logic error existed in the validation of credentials. This was addressed with improved credential validation.
The bug is not reported to have effected previous versions of MacOS.
If you haven’t already, get the update now. This is a really gaping security flaw.