Critical High Sierra "Root access" security flaw

Forums › Mac OS › Critical High Sierra "Root access" security flaw - recommend your urgent action

Item

1739 posts

Uber Geek
+1 received by user: 726

Subscriber

#225660 29-Nov-2017 10:22

So it looks like a glaring and brutal flaw has been exposed in High Sierra which allows root access with a blank password.

https://www.theregister.co.uk/2017/11/28/root_access_bypass_macos_high_sierra/

https://www.macrumors.com/2017/11/28/macos-high-sierra-bug-admin-access/

Anyone running High Sierra should address this ASAP to secure their Apple computer...

Someone will be getting fired for this one surely!

Peppery

919 posts

Ultimate Geek
+1 received by user: 188

Trusted

#1909392 29-Nov-2017 10:24

Just tried it on my MacBook. Works as intended.

FileVault should mitigate this partially if the machine is off, but still not good. I'd imagine actually setting a password on the root account would also solve this (but my work machine is still on 10.12 so can't confirm).

premiumtouring

357 posts

Ultimate Geek
+1 received by user: 143

#1909393 29-Nov-2017 10:25

Yeah this is a big one. Hopefully patched quickly.

Haven't upgraded to HS yet because the new file system doesn't support Fusion Drives yet.

Guess it's good I waited.

premiumtouring

357 posts

Ultimate Geek
+1 received by user: 143

#1909394 29-Nov-2017 10:26

As a side note, does anyone know if this vulnerability can be exploited by an application? I think to be safe, I'd advise holding off installing or upgrading *anything* until it is patched.

premiumtouring

357 posts

Ultimate Geek
+1 received by user: 143

#1909466 29-Nov-2017 11:53

Just as a follow up, some are recommending setting a 'root' password as an interim measure. Although the argument is that this is actually less secure as there should be no root account at all.

https://news.ycombinator.com/item?id=15800676