A critical security bug in macOS High Sierra was publicly disclosed yesterday. It enables anyone to gain full admin access to a Mac running High Sierra without requiring the password. Once they’re in the admin controls section, they can make changes like installing and deleting apps which otherwise require the device’s admin password. Apple has now released a fix for this bug and it’s advising users to install it as soon as possible.
The bug doesn’t even require any sophisticated code to exploit. When prompted to enter the admin password, one just needs to type “root” in the user name and leave the password field blank. That’s all. It then provides full admin access even if the device’s owner has a password in place.
Apple has rolled out the fix for this bug today and it’s calling on all its customers to “install this update as soon as possible.” This is mentioned right in the update’s description to highlight the gravity of this issue. The company is rolling out this update and it will be installed automatically on all devices running macOS High Sierra.
The company has also issued an unusually forward statement to highlight this embarrassing misstep. “Security is a top priority for every Apple product, and regrettably we stumbled with this release of macOS,” it said, adding that “We greatly regret this error and we apologize to all Mac users, both for releasing with this vulnerability and for the concern it has caused.”
Apple says that it’s auditing its development process to ensure something like this doesn’t happen again.