Update [December 5, 2017]: If you update your macOS and apply the patch, make sure you do it in the correct order or you’ll be stuck with the same problems. Check out our latest post for information on how to do this correctly.
Late Tuesday, a Turkish security developer discovered that macOS High Sierra has the biggest possible security flaw – a root account, enabled by default with no password, that anyone with physical access to your machine can log into. The problem is that once someone has root access there are basically no limitations to what they can do. Root is a superuser account with read and write privileges over the entire system including other user accounts. The problem is that anyone with any kind of knowledge, about 30 seconds and physical access to your machine can install programs, read and write files. And pretty much do anything else that you can imagine. This isn’t great, but there is a simple patch for now. Hopefully, there will be an update from Apple, but this will work in the meantime.
All you need to do is set a password for the root account (even if you never plan on using it). Here’s how to patch this hole:
- Open System Preferences.
- Choose Users & Groups.
- Click on the lock to make changes.
- Enter your administrator name and password.
Click on “Login Options”.
6. Choose “Join” at the bottom of the window.
- Select “Open Directory Utility”.
Click on the lock to make changes and enter your username and password.
9. At the top of the menu bar, choose “Edit”.
10. Select “Enable Root User”
From there, you can enter a password for the root user account, which prevents it from being accessed with a blank password, which is what the current bug allows to happen.
Until the bug is fixed by Apple, you will want to leave the root user account intact to prevent it from being accessed without a password. Disabling the root user account follows these same steps, but at the “Edit” portion of the process, you want to select “Disable Root User” in order to remove the option. To further protect your Mac, you can also disable guest accounts, though this is not a necessary step with a root password enabled. Guest accounts can be disabled by going to System Preferences > Users & Groups and choosing “Guest User” after entering your admin password. Disable “Allow guests to log in to this computer.”
Back in August of 2016, Apple announced their first iOS bug bounty program in order to encourage security experts to disclose Apple first. The program was created as a way of paying security researchers for disclosed vulnerabilities within the Apple mobile operating system. Payouts could have easily reached $200,000 but a report from earlier this year indicates that those researchers might actually make more money selling the bugs elsewhere. That’s right, you read that correctly. This macOS public disclosure helped spread the vulnerability’s awareness quickly, but it now leaves a lot of people scrambling to secure their systems. While the iOS bug bounty program isn’t directly linked to what’s happening with macOS it does leave you scratching your head a bit, doesn’t it?
Apple has acknowledged this bug and they are working on a fix. What’s unknown is how long it will take for that fix to be available. Apple is usually really good at putting a lot of hours in to fix these things, but how high of a priority is this? It’s hard to say at this point. We will keep you up to date when the fix is available.