Skip to content
Naked Security Naked Security

Apple closes that big root hole – “Install this update as soon as possible”

That Apple root hole we wrote about just yesterday? Apple has pushed out a patch already - get it while it's hot!
Written by
November 29, 2017
Naked Security Apple High Sierra root vulnerability

Yesterday we wrote about a publicly-disclosed problem in Apple’s macOS 10.13, better known as High Sierra.

For reasons that aren’t yet clear, you could trick macOS into letting you authenticate as root – the all-powerful system administration account that you aren’t even supposed to use – with a password of…

…nothing. Blank. Empty. Just press [Enter].

Even though you couldn’t exploit this hole remotely, at least by default, it was an astonishing lapse by Apple.

At first, the Twitter user who publicised this flaw was criticised by some people, who considered his tweet to be “irresponsible disclosure”, because he didn’t report the bug to Apple privately so that the hole could be closed first and only disclosed once a patch was ready.

But others soon realised that this was not a brand new discovery – indeed, it had been discussed more than two weeks ago on Apple’s own support forum.

Ironically, the support forum thread, a community discussion that seems to have gone unnoticed by Apple itself, was about losing administrator access after updating to High Sierra – and this very bug was presented as a handy hack to restore things to normal.

Apple’s official policy of saying nothing about security issues until a fix is out meant that there wasn’t much to go on once the news broke, except to assume that Apple’s programmers were frantically coding up a fix…

…and, fortunately, that turns out to have been true.

Apple just published HT208315, entitled Security Update 2017-001, patching this very hole.

There isn’t anything in the way of detail in the security bulletin, just a deadpan remark that says:

Description: A logic error existed in the validation of credentials. This was addressed with improved credential validation.

Some logic error! Some improvement!

This is the first time we’ve seen the App Store tagging an update as bluntly as this:

Install this update as soon as possible.

No by your leave or if you please – just a simple and unambiguous imperative: install this update.

We agree, and while we’re about it, we want to say, “Well done to Apple for acting quickly.”

Maybe the “irresponsible disclosure” served its purpose after all?

Note. To get the update or to check if it’s already installed, go to the Apple Menu (top left hand corner of the screen) and choose About This Mac, press the [Software Update...] button and then click on the Updates icon on the top of the App Store window that appears. (That’s the window you can see in the screenshot above.)


About the Author

Paul Ducklin is a passionate security proselytiser. (That's like an evangelist, but more so!) He lives and breathes computer security, and would be happy for you to do so, too.

Follow him on Twitter: @duckblog

Read Similar Articles

2 Comments

I just got pushed this update – didn’t even get the choice if I wanted to install it or not! Literally got a message saying “Urgent security update available” – went to install it, and it was there!

Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

Subscribe to get the latest updates in your inbox.
Which categories are you interested in?
You’re now subscribed!