Yesterday, we reported about a huge security flaw in macOS High Sierra 10.13.1 that allows anyone to gain administrator access to the Users & Groups settings by simply typing "root" as the username with no password to make changes.
This is a seriously embarrassing programming lapse on Apple's part since any user can exploit the flaw and can change user privileges, reset passwords, create accounts and view personal files without having administrator privileges.
In Unix-based systems like macOS, the user account named ”root” is a hidden superuser with elevated read and write privileges to more areas of the system, including files in other macOS user accounts.
We advised you about what you can do in the meantime to protect your High Sierra 10.13.1 machine (disabling Guest Access and changing the root password) but as expected, considering the magnitude of the flaw, Apple has quickly issued an apology and a new security update to fix the problem.
If you have High Sierra, update ASAP
Roughly a day after the macOS root user flaw was publicly disclosed, Apple has issued Security Update 2017-001 to fix the security bug. The fix is available for the affected version macOS 10.13.1.
In its security content page detailing the update, Apple said that "a logic error existed in the validation of credentials. This was addressed with improved credential validation."
The flaw doesn't affect older versions of macOS, from macOS Sierra 10.12.6 and earlier. After installing the security update, the build number of your macOS should be 17B1002.
How to check your macOS version number
Not sure what macOS version you're on? Here's how to check:
Click on the Apple logo on the left side of your top menu bar then select "About This Mac." Along with your machine's technical specs, your software version and build number will appear under the "macOS" or "OS X" header.
How to update your Mac:
- Open the App Store app
- Click Updates in the toolbar
- Tap the Update button next to the macOS update to download and install
- Your gadget will restart when it is finished updating
Note: You can also open the App Store Update tab by clicking the "Software Update..."button on "About This Mac."
What's going on with Apple?
Apple may have apologized and fixed this big security problem but this embarrassing mistake shouldn't have happened in the first place. Didn't the macOS developers test for root access thoroughly before pushing out the High Sierra 10.13.1 update?
If so, then heads should roll. Not only did the flaw put millions of Mac users at risk, it was publicly revealed on Twitter, of all places.
"We greatly regret this error and we apologise [sic] to all Mac users, both for releasing with this vulnerability and for the concern it has caused," Apple wrote in an official statement. "Our customers deserve better. We are auditing our development processes to help prevent this from happening again."
But remember, this is not the first software lapse Apple committed this year. Last month, a High Sierra security patch was issued to fix another password bug. Patches for iOS 11 were also issued to fix an annoying auto-correct bug that replaced the letter "i" with a capital "a" and a question mark. And it's trivial but to this day, the iOS 11 calculator app is still extremely laggy.
If Apple wants to preserve its reputation for high-quality products married with high-quality software, then they better resolve whatever development troubles they have and get to the "root" of the problem.
What do you think? Is Apple's software quality control slipping? Drop us a comment.
Apple releases 2017 Christmas ad with a continuity error at end
It looks like Apple is not only guilty of software lapses lately, even their commercials have "holes." Click here and you be the judge.