Apple Patches Major macOS Security Issue: Check Your Updates Now

Gavin Phillips 30-11-2017

A Turkish security researcher has exposed a major bug in macOS High Sierra. The flaw makes it possible for an attacker to gain entry to a machine without a password — as well as access to powerful administrator rights. Apple has issued a patch to fix the vulnerability affecting almost all macOS High Sierra systems.


Unpatched systems, however, remain insecure…

What Is the Bug?

The flaw was outed by Turkish developer Lemi Orhan Ergan. It allowed anyone to gain full administrative rights over a macOS High Sierra machine by simply typing “root” as the username in authentication dialog box. Then, leaving the password field blank and clicking the “Unlock” button twice, full administrative access is granted.

In theory, before the patch, if you left your Mac unattended, someone could easily gain access and wreck your machine. For example, they might install malware 5 Easy Ways to Infect Your Mac With Malware Malware can definitely affect Mac devices! Avoid making these mistakes or else you'll end up getting your Mac infected. Read More , capture passwords 5 Easy Ways to Infect Your Mac With Malware Malware can definitely affect Mac devices! Avoid making these mistakes or else you'll end up getting your Mac infected. Read More using Keychain Access Should You Use iCloud Keychain to Sync Passwords on Mac & iOS? If you primarily use Apple products, why not use the company's own password manager completely free of charge? Read More , delete or ruin your Apple ID, and more.

But Apple Have Fixed the Problem, Right?

As I penned this article, Apple released the security update to patch the issue. The Apple security content update statement says “A logic error existed in the validation of credentials. This was addressed with improved credential validation.”


The fix is already available on the Mac App Store. Also, the update will automatically apply to Macs running High Sierra 10.13.1 from Wednesday 29th November. Apple expanded on the situation with the following statement:

“Security is a top priority for every Apple product, and regrettably we stumbled with this release of macOS.

“When our security engineers became aware of the issue Tuesday afternoon, we immediately began working on an update that closes the security hole. This morning, as of 8am, the update is available for download, and starting later today it will be automatically installed on all systems running the latest version (10.13.1) of macOS High Sierra.

“We greatly regret this error, and we apologize to all Mac users, both for releasing with this vulnerability and for the concern it has caused. Our customers deserve better. We are auditing our development processes to help prevent this from happening again.”


But They Already Knew About It?

Unfortunately for Apple, this issue had already surfaced — but received no action. A member of Apple’s support forum posted exact details of the bug more than two weeks ago. The original post and responses seem to view the major bug as a potential troubleshooting feature, rather than a critical security threat.

What Do I Do Now?

Well, the first thing to do is head to check for system update. Apple was set to roll out the automatic patch update at some point in the last 24 hours. If the automatic update hasn’t appeared, you should head to the Mac App Store and search for the update there. Alternatively, click this link.

Apple Patches Major macOS Security Issue: Check Your Updates Now apple security flaw

Once the update downloads, install immediately.


It Isn’t Working

If some reason the update will not install, first turn your system off and on, then retry. Apple has automated the process.

Otherwise, follow these steps to secure your system in the meantime:

  1. Open Spotlight, search for Directory Utility, select the corresponding option
  2. Click the lock to make changes; enter your username and password for the administrative account
  3. Head to Menu > Edit
  4. Select Enable Root User; create a password and verify

This is, however, a stop-gap. Please attempt to install the official update.

Eyes on the Source

As Apple patches the bug, eyes turn to Lemi Orhan Ergan. The self-described “software craftsman” is receiving criticism for not adhering to responsible disclosure guidelines Full or Responsible Disclosure: How Security Vulnerabilities Are Disclosed Security vulnerabilities in popular software packages are discovered all the time, but how are they reported to developers, and how do hackers learn about vulnerabilities that they can exploit? Read More . Responsible disclosure asks security researchers to inform companies about security threats to allow time to fix the flaw. After the flaw is fixed, the researcher is clear to present their findings to the public.


Of course, this system doesn’t always work as intended. Companies fail to respond, and security researchers become impatient. In those instances, creating a public issue forces the hand of the company, compelling them to fix the security threat.

After receiving a significant amount of criticism, Ergan posted a riposte on Medium. He explains that he “is neither a hacker, nor a security specialist,” continuing “I solely focus on secure coding practices while programming, but I can never call myself a security specialist.”

In all fairness, the bug was discussed on the Apple support forum. Furthermore, Ergan claims his colleagues at payments firm Iyzico disclosed the threat to Apple on 23rd November — but never received a response.

Eyes on the Ball

From the source, to the company. Did Apple let this one slip through the net? In a word, yes: especially if they were aware of the bug as Ergan claims. Unfortunately, we don’t know the truth, so cannot make a solid assessment of the situation.

Even after suffering their second forced update in a year (still only their second forced security update ever), Apple shouldn’t worry. Instances of macOS and iOS malware are rising Apple-Targeted Malware Increases - Here's What to Look Out For in 2016 Apple hardware is no longer a safe haven from hackers, malware, ransomware, and other cyber-threats. The first half of 2016 proves that without the right precautions, your devices can become risks.... Read More , but Windows and Android remain the prime targets What Is The Most Secure Mobile Operating System? Battling for the title of Most Secure Mobile OS, we have: Android, BlackBerry, Ubuntu, Windows Phone, and iOS. Which operating system is the best at holding its own against online attacks? Read More . Furthermore, Apple has a stellar security record for the most part The Ultimate Mac Security Guide: 20 Ways to Protect Yourself Don't be a victim! Secure your Mac today with our exhaustive High Sierra security guide. Read More , as evidenced by their swift and effective update roll out to quell the burgeoning threat.

Have you been affected by the Apple security flaw? Or did the update arrive swiftly enough to stop you worrying? Let us know your thoughts below!

Related topics: Computer Security, macOS High Sierra.

Affiliate Disclosure: By buying the products we recommend, you help keep the site alive. Read more.

Whatsapp Pinterest

Leave a Reply

Your email address will not be published. Required fields are marked *

  1. Earth Cariño
    November 30, 2017 at 1:29 pm