Skip to main content

macOS High Sierra 'root' security bug: Here's how to fix it now!

Apple has just released a security update for macOS High Sierra that patches the "root" vulnerability dropped yesterday. While this bug should never have shipped, Apple's response to the problem and turn around time on the fix have been impressive and reassuring.

Apple sent me the following statement:

"Security is a top priority for every Apple product, and regrettably we stumbled with this release of macOS," an Apple spokesperson told iMore.When our security engineers became aware of the issue Tuesday afternoon, we immediately began working on an update that closes the security hole. This morning, as of 8:00 a.m., the update is available for download, and starting later today it will be automatically installed on all systems running the latest version (10.13.1) of macOS High Sierra. We greatly regret this error and we apologize to all Mac users, both for releasing with this vulnerability and for the concern it has caused. Our customers deserve better. We are auditing our development processes to help prevent this from happening again."

You can find the security update in Software Updates and if you're running macOS High Sierra, you should download and install it now, then make sure everyone you know does the same. If you don't, Apple will do it for you starting later today.

Here are the details on the patch, from Apple.com (opens in new tab):

Security Update 2017-001Released November 29, 2017Directory UtilityAvailable for: macOS High Sierra 10.13.1Not impacted: macOS Sierra 10.12.6 and earlierImpact: An attacker may be able to bypass administrator authentication without supplying the administrator's passwordDescription: A logic error existed in the validation of credentials. This was addressed with improved credential validation.CVE-2017-13872When you install Security Update 2017-001 on your Mac, the build number of macOS will be 17B1002. Learn how to find the macOS version and build number on your Mac.

The original patch caused issues with files sharing so Apple has pushed out a new version, 17B1002, to correct the problem.

This is a zero-day exploit. Lemi Orhan Ergin tweeted to Apple's support account that he had discovered a way to log into a Mac running High Sierra by using the superuser "root" and then clicking the login button repeatedly. (Mac's running Sierra or earlier versions of the OS are not affected.)

See more

Ergin should absolutely have disclosed this to Apple and given the company a chance to patch it before it went public, and Apple should never have allowed the bug to ship, but none of that matters right now.

Here's what's important: The "root" account allows super-user access to your system. It's supposed to be disabled by default on macOS (opens in new tab). For whatever reason, it's not on High Sierra. Instead, "root" is enabled and currently allows access to anyone without a password.

For a basic explanation of what's causing the issue, see Objective See:

  • For accounts that are disabled (i.e. don't have 'shadowhash' data) macOS will attempt to perform an upgrade
  • During this upgrade, od_verify_crypt_password returns a non-zero value
  • The user (or attacked) specified passwor is then 'upgraded' and saved for the account

So, anybody who has physical access to your Mac or can get through via screen sharing, VNC, or remote desktop, and enters "root" and hits login repeatedly, can gain complete access to the machine.

Apple sent me the following statement:

"We are working on a software update to address this issue," an Apple spokesperson told iMore. "In the meantime, setting a root password prevents unauthorized access to your Mac. To enable the Root User and set a password, please follow the instructions here: https://support.apple.com/en-us/HT204012. If a Root User is already enabled, to ensure a blank password is not set, please follow the instructions from the 'Change the root password' section."

If you're comfortable with the command line, you can very quickly:

  1. Launch Terminal.
  2. Type: sudo passwd -u root.
  3. Enter and confirm your Root User Password. (Make it a strong, unique one!)

If not, you can use Open Directory Utility:

How to fix the root/ vulnerability on macOS High Sierra

🚨 If you're running #macOS #HighSierra, stop and do this *now* to fix the root access vulnerability.Then share it with everyone you know and make sure they do it too.📺: [Embedded]📝: https://t.co/e9sErEvKNI pic.twitter.com/9jKcV7FAXm— Rene Ritchie (@reneritchie) November 28, 2017

  1. Click on Apple () at the far left of the menubar.
  2. Click on System Preferences.
  3. Click on Users and Groups.
  4. Click on the Lock (🔒) icon.
  5. Enter your Password.
  6. Click on Login Options.
  7. Click on Join or Edit.
  8. Click on Open Directory Utility.
  9. Click on the Lock (🔒) icon.
  10. Enter your Password.
  11. Click on Edit in the menubar.
  12. Click on Enable Root User.
  13. Enter and confirm your Root User Password. (Make it a strong, unique one!)

Do not disable the Root User. That just blanks the password and allows the exploit to work again.

See more

Apple needs to fix this stat. In the meantime, share this information with everyone you know who uses a Mac on High Sierra and make sure they test and validate that "root" access is blocked before you let them resume their day.

Updated to include Apple's statement and Objective See's description of the problem.

Updated to include Apple's patch and statement on the patch.

Updated to include file sharing bug in the patch, and the updated patch to fix the file sharing bug.

Rene Ritchie
Contributor

Rene Ritchie is one of the most respected Apple analysts in the business, reaching a combined audience of over 40 million readers a month. His YouTube channel, Vector, has over 90 thousand subscribers and 14 million views and his podcasts, including Debug, have been downloaded over 20 million times. He also regularly co-hosts MacBreak Weekly for the TWiT network and co-hosted CES Live! and Talk Mobile. Based in Montreal, Rene is a former director of product marketing, web developer, and graphic designer. He's authored several books and appeared on numerous television and radio segments to discuss Apple and the technology industry. When not working, he likes to cook, grapple, and spend time with his friends and family.

30 Comments
  • "Here's what you need to do right now" - come back later for instructions. :/
  • The only other person who has physical access to my iMac at home is my wife and she's not exactly a techie. Would a burglar who breaks into my house have that knowledge off hand? Should I switch to a more secure operating system like Windows instead?
  • "Like Windows"... No. Anyone who has physical access to your machine can control your machine. Windows, macOS, Linux, you name it. Unless you have turned on things like the firmware password and FileVault, anyone can boot your machine into single user mode and reset the admin password. The same thing is true with Windows (sometimes with Windows you need the install CD). This flaw is bad, as it makes it too easy. But we should not pretend that it's world-changing.
  • Windows has had FAR more embarrassing security flaws. It's anything but "secure".
  • No one is impervious to security breaches. Admittedly, this is an embarrassing one for Apple that could've easily been avoided, so you can feel free to insult Apple on this one
  • Well people who state that any device is malware proof are silly, that's the nature of any software/OS. There are blind Apple fans out there, it's right to accept criticism where Apple have gone wrong, albeit in certain situations that is more based on opinion. In this case, Apple have gone wrong, and there's no doubt about it. Hopefully this gets fixed ASAP
  • Someone found this a few weeks ago, see last comment in the link below:
    https://forums.developer.apple.com/thread/79235
  • Which probably explains where the guy took to Twitter. Unfortunately Apple of late ignore issues that are posted on the Community until they are publicly shamed into doing so. The same was true a couple of months ago when it was apparent you could get High Sierra to reveal the passwords of encrypted hard drives.
  • He still should not have broadcast it on Twitter. He should have contacted Apple in the least public way possible. It is a major mistake by them, but publicising it was very irresponsible and compromised the security of many thousands of computers. On the upside at least Apple may pay more attention to their developer forums in the future!
  • Why did you think they ignored it on their forum? Apple does not care until it's a public disgrace.
  • https://i.imgur.com/wmVH7XL.jpg
  • “Here's what's important: The "root" account allows super-user access to your system. It's supposed to be disabled by default on macOS. For whatever reason, it's not on High Sierra. Instead, "root" is enabled and currently allows access to anyone without a password.” “Do not disable the Root User. That just blanks the password and allows the exploit to work again.” Some would say these are contradictory statements. “Setting "root" password "fixes" the problem”. Why is fixes in quotes? Setting a password absolutely fixes this. All accounts should have passwords. Its a true resolution, not a “fix”.
  • It just works
  • Just works a bit too well, whereby it bypasses security, woops
  • It's terrifying how something like this got past QA/QC.
  • Indeed I.T. is terrifying how poor Apple QC is of late. A[?] despair sometimes.
  • Well this affirms my decision to stay on Sierra.
  • yeah, me too. i‘m glad i‘ve avoided the bugfest that is high sierra so far. it‘s also supposed to have problems with a few applications like apple‘s own FCPX.
  • I cannot reproduce the bug. I don't have root enabled, just checked. I'm on 10.13.2 Beta (17C60c). 1. I only get my username when I turn on the computer, with no apparent option of writing "root" as username.
    2. When I do get to type root as username while unlocking system settings, I can't reproduce the bug.
    3. I also can't login with empty password for root after I lock the computer using Alfred lock command
  • Well, this is bizarre.
    Just followed the instructions at the link in the update and... Root access was disabled as an obvious default.
    On the other hand, no one has access to my Macs who would take advantage of the flaw, and I'm very paranoid about screen sharing and have been so for years.
  • Can Renee please write an article about ALL the password configuration requirements and options for High Sierra. Example, with FileVault turned on, can that password be the same as your user password? The difference between a local account and your iCloud account and what is used when logging in? How important the Root account is and the implications on changing its password (I know its really important, but others may not). Thanks!
  • I can't believe the negativity in some of these posts.
    Many are trolls that come here just to stir **** up.
    Others sound like, Apple of late has been doing this and this wrong. As if Apple never ever had bugs before. Just be thankful that the iMore gang is bringing this information to you free of charge. Apple is informed and will soon release a fix to this. As for now, follow the instructions, end of story.
  • A bug like this isn't even something you'd see from garden shed freeware hobbyist operating systems these days. For a multi-billion dollar company's offering, it's simply inexcusable. I don't know about you, but in my world it's perfectly acceptable to criticize the stuff you pay for.
  • The bug was reported over two weeks ago and is a fundamental security risk. Apple have only rushed out a fix because trad and social media picked up on it.
  • The bug was NOT reported to Apple two weeks ago. It was mentioned casually in a developer forum in a long thread discussing other issues. (Yes, I have read the thread where it is mentioned) Your spinning it is just a dumb troll.
  • Rather than resorting to personal abuse, perhaps in future you should do a bit more research? The issue was first mentioned on the Dev forum on Nov 13 (which Apple staff moderate) then Apple were directly informed on the 23rd. Info here. https://medium.com/@lemiorhan/the-story-behind-anyone-can-login-as-root-... Try and be more polite in future, please.
  • I've completed Apple's Security Update (as of this writing). Followup question: 's SU Support page seems to imply completing this SU (to the new 10.13.1 Build) disables root. ...Is this correct? ...If yes, does this delete a prior root PW & is it recommended to re-enable root, re-setting a PW?
  • Yes, the update disables root and any password for it that was set. No, it is NOT recommended to re-enable root and set a new password. Root is disabled by default in any installation of macOS and should never be enabled unless it is absolutely necessary and the person doing so knows exactly what they are doing.
  • Rene has been surprising easy on Apple for this. Pressing enter a few times allowed access to our computers? That is insanely incompetent and crazy how it even made it out into the wild.
  • I don't think he has: "Apple should never have allowed the bug to ship" It's pretty clear that this is a serious security bug that should have never happened.