Apple has issued a critical security update for macOS High Sierra to address the root login bug which allows anyone to login to macOS High Sierra without a password.
All macOS High Sierra users should install the security update as soon as possible to protect their Mac, even if they have already used the root login fix detailed here. This is perhaps the most urgent Security Update for macOS High Sierra system software released yet, as it will patch the security hole completely.
The software update is labeled as “Security Update 2017-001” and is exclusive to macOS High Sierra. The brief notes attached to the App Store download say “Install this update as soon as possible. Security Update 2017-001 is recommended for all users and improves the security of macOS.”
How to Install macOS High Sierra Security Update 2017-001
- Go to the Apple menu and choose “App Store”
- Click the “Updates” tab
- When you see “Security Update – Install this update as soon as possible. Security Update 2017-001” available, click on the “Update” button
The security update, which seems to apply to the “Directory Utility” application in macOS, does not require the Mac to reboot for changes to take effect.
macOS High Sierra Security Update 2017-001 Release Notes
The download notes are brief (“Install this update as soon as possible. Security Update 2017-001 is recommended for all users and improves the security of macOS.”), but Apple details the bug and release notes for the security patch a big more here on a support page:
Security Update 2017-001
Released November 29, 2017
Available for: macOS High Sierra 10.13.1
Not impacted: macOS Sierra 10.12.6 and earlier
Impact: An attacker may be able to bypass administrator authentication without supplying the administrator’s password
Description: A logic error existed in the validation of credentials. This was addressed with improved credential validation.
When you install Security Update 2017-001 on your Mac, the build number of macOS will be 17B1002. Learn how to find the macOS version and build number on your Mac.
If you require the root user account on your Mac, you can enable the root user and change the root user’s password.
Confirming the Security Update Applied to a Mac
Note that while you can download the software update yourself, Apple is reportedly going to start automatically pushing the download to macOS High Sierra machines later.
The simplest way to confirm that Security Update 2017-001 has been applied to a particular Macintosh running macOS High Sierra is to check the Mac OS build number on the computer.
- Pull down the APPLE menu and choose “About This Mac”
- Click on the text that says “Version” directly under the “macOS High Sierra” banner
- The build number will appear next to the version, if it says “(17B1002)” then the security update has successfully installed
In the example screenshot, the build version of macOS High Sierra is older than 17B1002, and thus the security patch has not yet been installed.
You can also check the build number of a Mac OS release by using Terminal and the following command syntax:
According to tweets posted by TechCrunch reporter Mathew Panzarino, Apple has released the following statement about the security flaw and the macOS High Sierra security update:
“Security is a top priority for every Apple product, and regrettably we stumbled with this release of macOS”
“When our security engineers became aware of the issue Tuesday afternoon, we immediately began working on an update that closes the security hole. This morning, as of 8 a.m., the update is available for download, and starting later today it will be automatically installed on all systems running the latest version (10.13.1) of macOS High Sierra.
We greatly regret this error and we apologize to all Mac users, both for releasing with this vulnerability and for the concern it has caused. Our customers deserve better. We are auditing our development processes to help prevent this from happening again.”
Note Apple specifically says the update is available to download now, and “starting later today it will be automatically installed on all systems running the latest version (10.13.1) of macOS High Sierra).” This seems to imply that Apple will use the automated security update mechanism available through the Mac App Store to try and push the critical security update onto customers.
It is strongly recommended to install the security software update onto any Macintosh running macOS High Sierra as soon as possible.
A direct download link for macOs High Sierra Security Update 2017-001 is not yet available, but should appear here once it shows up.