Apple is offering a fix for a recently discovered security flaw in its new Mac operating system that made it possible for an intruder to bypass administrator authentication without typing in a password.
By exploiting this bug, one would be able to change a Mac’s settings without knowing the owner’s password. Apple’s latest update for macOS High Sierra, the new Mac software it launched in September, addresses this flaw.
Apple said in a statement that it’s auditing its development process to prevent a similar situation from happening again.
The update is available to download and will be automatically installed on all systems running version macOS High Sierra 10.13.1 later on Wednesday.
Below is Apple’s full comment:
Security is a top priority for every Apple product, and regrettably we stumbled with this release of macOS.
When our security engineers became aware of the issue Tuesday afternoon, we immediately began working on an update that closes the security hole. This morning, as of 8 a.m., the update is available for download, and starting later today it will be automatically installed on all systems running the latest version (10.13.1) of macOS High Sierra.
We greatly regret this error and we apologize to all Mac users, both for releasing with this vulnerability and for the concern it has caused. Our customers deserve better. We are auditing our development processes to help prevent this from happening again.
To see if a software update is available for your Mac, click the Apple icon, select About Mac, and click the button that says “software update.” You can also open the App Store on your Mac and click the Updates tab to check for new software.
Developer Lemi Orhan Ergin publicly informed Apple about the security issue via Twitter on Nov. 28, and was criticized by some for doing so out of fear that the bug would be more widely exploited. Ergin wrote in a blog post that his colleagues informed Apple of the issue on Nov. 23.
According to Ergin, the exploit worked when opening the System Preferences menu, selecting Users & Groups, and then clicking the lock to make changes. When the prompt appears on screen asking for administrator login credentials, Ergin said it was possible to gain access when typing “root” in the username field while leaving the password blank after pressing the unlock button multiple times. Several Twitter users replied to Ergin’s tweet saying the technique worked.
Before the software fix was released, users could have made it so that a password must be typed in before gaining root access to their Mac.