Apple released an urgent fix on Wednesday for a security flaw discovered in its Mac operating system. macOS High Sierra, released in September, allowed anyone to gain unrestricted access to a computer’s settings, just by typing the word “root” in the username box, leaving the password box blank, and pressing enter a few times.
“An attacker may be able to bypass administrator authentication without supplying the administrator’s password,” Apple said in its support document. “A logic error existed in the validation of credentials. This was addressed with improved credential validation.”
Lemi Orhan Ergin, a Turkish security researcher, discovered the flaw on Tuesday. In the “System Preferences” app, certain options are locked until the user presses the padlock in the bottom left corner. Normally, the user then needs to supply an administrator’s username and password, but Ergin discovered that the above method was sufficient to unlock and start making changes.
The same day the flaw was discovered, Apple published instructions on how to enable the password for the “root” user.
The company sent out the update via the built-in software updater. It does not require a restart. “Security Update 2017-001” shows up in the list of pending updates with a special message urging the user to install immediately:
Ergin received criticism for sharing the flaw with Twitter. In a followup response, he claimed a member of staff at his workplace stumbled across the bug. He also noticed that the issue had already been discussed on public forums, even the Apple Developer Forum, but Apple had yet to release a fix.
“I have no intention to harm Apple and Apple users,” Ergin said in a response on Medium. “By posting the tweet, I just wanted to warn Apple and say “there is a serious security issue in High Sierra, be aware of it and fix it.” Simply saying, I am not the one who discovered the security bug, but the one who make it more visible in public by mentioning it via Twitter.”