Update #2: An official fix is now available; no restart required.
Update: An Apple spokesperson has issued the following statement, saying an update is in the works:
“We are working on a software update to address this issue. In the meantime, setting a root password prevents unauthorized access to your Mac. To enable the Root User and set a password, please follow the instructions here. If a Root User is already enabled, to ensure a blank password is not set, please follow the instructions from the ‘Change the root password’ section.”
A newly discovered macOS High Sierra flaw is potentially leaving your personal data at risk. Developer Lemi Orhan Ergin publicly contacted Apple Support to ask about the vulnerability he discovered. In the vulnerability he found, someone with physical access to a macOS machine can access and change personal files on the system without needing any admin credentials.
Users who haven’t disabled guest user account access or changed their root passwords (likely most) are currently open to this vulnerability. We’ve included instructions on how to protect yourself in the meantime until an official fix from Apple is released.
Until a fix is officially released for today’s discovery, there are two major steps users can take to mitigate the situation.
The first is disabling guest account access. This can make it more difficult for an attacker to jump in and change system settings. In the case of this vulnerability, guest account access is not required for the attack to happen. Users who have configured their system to use the Name and password login window are also vulnerable.
To stop that, users should look at changing their system’s root password. This can put a stop to the vulnerability altogether. It should be noted that when Apple does release a fix, the root password may need to be changed again.
Disabling guest user on macOS High Sierra
Step 1 | Launch System Preferences
Step 2 | Select Users & Groups
Step 3 | Select Guest User
Step 4 | Uncheck Allow guests to log in to this computer
Changing root password on macOS High Sierra
Step 1 | Launch System Preferences
Step 2 | Select Users & Groups
Step 3 | Select Login Options
Step 4 | Select Join next to Network Account Server
Step 5 | Select Open Directory Utility
Step 6 | Click the lock and enter your password to make changes
Step 7 | In the menu bar of Directory Utility, select Change Root Password
Step 8 | Create a strong, unique password
Back in August of last year, Apple announced its first iOS bug bounty program to encourage security experts to disclose Apple first. The program was created as a way of paying security researchers for disclosed vulnerabilities within the Apple mobile operating system.
Payouts could easily reach $200,000, but a report from earlier this year indicates that these researchers may actually make more money selling the bugs elsewhere. Today’s macOS public disclosure via Twitter helped spread the vulnerability’s awareness quickly, but it now leaves many scrambling to secure their systems.
We’ve reached out to Apple about the vulnerability and will update if we hear back on when an official solution should be expected. For now the vulnerability is present on both the shipping version of macOS High Sierra as well as the developer and public beta version.
Subscribe to 9to5Mac on YouTube for more Apple news:
FTC: We use income earning auto affiliate links. More.
Comments