Errors occur in every software, but the worst are the ones related to security. Apple had to react on very serious software vulnerability, because practically every person who has physical access to a computer with the latest MacOS High Sierra system could have root privileges. The attacker does not have to show any hacking abilities. This error can be used by everyone. Fortunately, Apple has already released an update with the fix.

This issue applies to all Apple owners who have installed the latest operating system, MacOS High Sierra, and do not change the default settings for the root password. On operating systems like Linux and macOS, the user works using an account without administrator rights. If you need to perform an operation that requires additional privileges (e.g. to create a new user account), then you have to use the sudo mode. Then the operating system asks the user to enter his or her password. In macOS systems, we can also provide the name of another user. This is useful in situations where we use an account without sudo privileges. Unfortunately, the graphical interface in MacOS High Sierra allows you to use root privileges here. All you need to do is enter its name and leave the empty password by pressing the Enter key or the Unlock button.

Information about the vulnerability in the Apple system immediately circulated the world.

Fortunately Cupertino engineers reacted quickly and during the day they prepared an update fixing the bug. By the way, we found out which versions of macOS are sensitive to this unusual attack. It appears to have existed since the inception of the High Sierra version, because the released security patch does not apply to the macOS Sierra 10.12.6 version and older. Installing the update does not require a restart of the computer, and after installation, everything works as it should. On my computer I could easily perform the attack shown in the following video. After fix installation, it does not work any longer.

macos root

Please note that users who have changed the default settings of root password have not been affected by this issue. Similarly, the vulnerability was not related to the system terminal and ssh connections. The error was located only in the validation of credentials mechanism through the graphical interface.

Source: 9to5mac