Mac users running High Sierra, drop everything and install this security update now! (Updated)
Mac users running High Sierra, drop everything and install this security update now!
Update, Dec 1: If you're having file sharing problems after installing this security update, know that Apple has released a new version, build 17B1002, that fixes both this and the root bugs.
First published on Nov 30, 2017:
After pulling an all-nighter, Apple has released a security update to fix the ‘root’ security vulnerability in MacOS High Sierra discovered (and widely reported) yesterday.
Security Update 2017–001
Available for: macOS High Sierra 10.13.1
Not impacted: macOS Sierra 10.12.6 and earlier
Impact: An attacker may be able to bypass administrator authentication without supplying the administrator’s password
Description: A logic error existed in the validation of credentials. This was addressed with improved credential validation.
When you install Security Update 2017-001 on your Mac, the build number of macOS will be 17B1002. Learn how to find the macOS version and build number on your Mac.
If you require the root user account on your Mac, you can enable the root user and change the root user’s password.
The fastest and easiest way to update is through the Mac App Store. And Apple’s recommendation is clear: “Install this update as soon as possible.”
Apple has also apologized to all Mac users for the error. In a statement to iMore:
Security is a top priority for every Apple product, and regrettably we stumbled with this release of macOS.
When our security engineers became aware of the issue Tuesday afternoon, we immediately began working on an update that closes the security hole. This morning, as of 8:00 a.m., the update is available for download, and starting later today it will be automatically installed on all systems running the latest version (10.13.1) of macOS High Sierra.
We greatly regret this error and we apologize to all Mac users, both for releasing with this vulnerability and for the concern it has caused. Our customers deserve better. We are auditing our development processes to help prevent this from happening again.