Update: Apple has released a Security Update for this vulnerability.
Good news, Apple as of 11/29 (less than 24 hours after discovery) has released Security Update 2017-00. Run Software Update through the App Store ASAP. Info here: https://support.apple.com/en-us/HT208315
A significant security vulnerability was discovered today for all versions of macOS High Sierra, that allows a login as root with no password.
If you are not familiar with root, it is the highest admin privilege you can have on a Unix based system. By default in macOS High Sierra, the root user is disabled.
Dear @AppleSupport, we noticed a *HUGE* security issue at MacOS High Sierra. Anyone can login as “root” with empty password after clicking on login button several times. Are you aware of it @Apple?
— Lemi Orhan Ergin (@lemiorhan) November 28, 2017
Unlike most security vulnerabilities of this nature, it was reported via the tweet above. Major companies, such as Apple, have ways to disclose issues like this privately while offering a reward. This process allows the company time to fix the problem before it is made public while limiting harm to users. Usually, some form of compensation is given to those that discover a vulnerability and report it responsibly.
Apple has released a statement saying they will release a fix soon but until then we have two ways below to stop this vulnerability.
Moderate: Changing root Password on Mac with Directory Utility
While these steps are easy, understand you are changing the superuser/root password – so do not forget it.
1. From the Apple menu, choose “System Preferences,” then click on the “Users & Groups” preference panel
2. Select the lock icon in the corner, then enter an admin password
3. Choose “Login Options”
4. Click the “Join” button alongside ‘Network Account Server,’ then click on “Open Directory Utility” to open the app
5. Choose the lock icon in Directory Utility app and again authenticate with an admin login
6. From the “Edit” menu, choose “Change Root Password.”
7. Enter the old root password, then confirm the new root password login to finalize the password change
More Info: http://osxdaily.com/2015/03/08/change-root-user-account-password-mac-os-x/
Advanced: Change the root account’s login shell to /usr/bin/false
If you feel comfortable with the command line, then this option is for you. By changing the login shell to /usr/bin/false, it will not allow the user to interact with the system which will stop the problem in its tracks.
Step by Step and More Info: https://derflounder.wordpress.com/2017/11/28/blocking-logins-to-the-root-account-on-macos-high-sierra/
Easy: Schedule a remote session with us
While the steps above are accessible, we understand many users do not feel comfortable making these changes. If you do not feel comfortable, you can schedule an appointment below. This service would be at no cost to a Mac Care 365 subscriber.