Yesterday, a serious security vulnerability was discovered in macOS 10.13 High Sierra that allows a user to gain admin access to the PC without the owner's password. All that's required is to use 'root' as the user name, and give it a couple of tries.
Apple jumped right on top of it, and Security Update 2017-001 is already available. Unfortunately though, it's only available for macOS 10.13.1, meaning that if you're running the 10.13.2 beta, you'll likely have to wait until the next build is released. Here's the changelog:
Available for: macOS High Sierra 10.13.1
Not impacted: macOS Sierra 10.12.6 and earlier
Impact: An attacker may be able to bypass administrator authentication without supplying the administrator’s password
Description: A logic error existed in the validation of credentials. This was addressed with improved credential validation.
CVE-2017-13872
After installing the new update, the build number for macOS should be 17B1002, which is changed from 17B48. It does not require a reboot.
Obviously, it's recommended that you install this update right away. To check for updates on your Mac, head over to the Mac App Store and click on the Updates tab.
27 Comments - Add comment