Apple to fix MacOS High Sierra's "Huge" security flaw with upcoming software update

MacOS High Sierra OS allows anyone to access the root/admin account by simply entering "root" as the admin username and leaving the password field blank. Apple is said to be working on a software update for fixing the bug and has advised users to set a custom root account password

Published Date
29 - Nov - 2017
| Last Updated
29 - Nov - 2017
 
Apple to fix MacOS High Sierra’s “Huge” security flaw with upcomi...

A major security flaw has been discovered in Apple’s MacOS High Sierra operating system, which allows anyone to access the root/admin account on a Mac. MacRumors reported the bug, via a developer named Lemi Ergin, saying that anyone can log into the admin account by entering root as the username and leaving the password field blank. Apple has acknowledged the flaw and said they are working on a software update for fixing the issue. 

The root/admin account grants escalated privileges to a user, with full access to system files with read and write privileges. As per the report, the flaw allows admin access on an unlocked Mac and can also be exploited on a locked Mac’s login screen. Users can try it while using their normal or even a guest account by navigating to Users and Groups in System Preferences and clicking on the lock icon. A prompt asking username and password will show up where the user needs to enter ‘root’ as the username and click on the password bar, but leave it blank. Clicking on unlock will then allow using the admin account.

As per Apple’s instructions, a user should set a password for the root account instead of leaving it blank so that it can’t be accessed by anyone else. Apple, in a statement to MacRumors, said, “Setting a root password prevents unauthorized access to your Mac. To enable the Root User and set a password, please follow the instructions here: https://support.apple.com/en-us/HT204012. If a Root User is already enabled, to ensure a blank password is not set, please follow the instructions from the 'Change the root password' section." The bug is reportedly present in the current version of macOS High Sierra and its beta which is currently in testing.

To set a root password, users need to follow the same aforementioned process for accessing an admin account and then click on Login Options. After that, users need to click on Join(or Edit) option next to the Network Account Server and click on the lock icon under Open Directory Utility. A prompt will ask for the user’s administrator name and password after which one needs to select Enable Root User by clicking at the ‘Edit’ tab on the menu bar and enter a new password for the admin account. Apple says this method will prevent the root account from being accessed using a blank password until they release a patch. As the bug can be exploited using a guest account, MacOS High Sierra users have also been advised to disable them.

Digit NewsDeskDigit NewsDesk

The guy who answered the question 'What are you doing?' with 'Nothing'.