Major security flaw in macOS High Sierra allows unrestricted access to Macs
27 November 2017
28 November 2017: Security Update 2017-001 now available via the App Store. https://support.apple.com/kb/HT201222
Apple has reported they are working to fix a serious security flaw that has been discovered in the latest version of OS X, macOS High Sierra. The bug enables a user to gain ‘root’ access to a computer without them having to enter a password, allowing unrestricted control of the machine.

How does it work?
Anyone attempting to logging into a Mac running macOS High Sierra can gain access to the computer by entering the user name ‘root’ and leaving the password field blank and pressing the Return key a few times.

Stacks Image 2383
Typically an authentication dialog will appear when a computer is started or woken up after being asleep so that the user can login, but the bug also manifests itself whenever an authentication dialog is displayed such as when changing important System Preferences. The bug could even be exploited by other means, too, if virus writers were inclined to do so.

authentication1
What can I do to prevent access to my computer?
The first thing to be aware of is that the problem only exists if you’re running macOS High Sierra, the vulnerability does not affect macOS Sierra or any other previous version of the operating system:
  • Avoid leaving your computer unattended or needlessly connected to the internet.
  • Turn off sharing if possible.
  • Enable root user on your computer and assign a cryptic password (and disable root user afterwards).
Enable/Disable the root user
1. Open the System Preferences and select Users & Groups
2. Click the ‘lock’ and enter an Admin name and password
3. Click Login Options (at the bottom of the user list).
4. Click ‘Join’ button

groups

5. Click Open Directory Utility
6. Click the ‘lock’ in the Directory Utility window and enter an Admin name and password.
7. From the Directory Utility menu choose Edit and Enable Root User

du1
Login as root user
1. Choose the Apple menu and Log out
2. At the login window enter root and the (default) password.

Change the root user password
1. Open the System Preferences and select Users & Groups
2. Click the ‘lock’ and enter an Admin name and password
3. Click Login Options (at the bottom of the user list).
4. Click ‘Join’ button
5. Click Open Directory Utility
6. Click the ‘lock’ in the Directory Utility window and enter an Admin name and password.
7. From the Directory Utility menu choose Edit and Change Root Password
8. Enter a new (cryptic) root password when prompted.

* Remember to disable the root user after completing this task!

See the following Apple Knowledge base article for further information:
https://support.apple.com/en-us/HT204012

Check regularly for updates via the App Store
Apple are urgently working on a fix for this problem and will hopefully release an update to macOS High Sierra in the next few days. Monitor any updates that arrive via the App Store and download and install them as soon as possible.