Apple has just released a security update, the first for High Sierra 10.13.1, which it claims fixes the gaping hole recently discovered in authentication, which allowed the use of the
root username with a blank password.
All those using High Sierra should install this update from the App Store as a matter of urgency on all systems running High Sierra.
You can also download a standalone installer package from here.
Apple’s summary of the bug reads: “A logic error existed in the validation of credentials. This was addressed with improved credential validation.”
Once installed, High Sierra users should then be able to disable the root user in safety, if the update doesn’t already do so.
Apple also confirms that this does not affect Sierra 10.12.6 or earlier versions of macOS or OS X.
Good for Apple to release this within 24 hours of the vulnerability become generally known, although none of this should ever have happened in the first place.
This update is small, just over 1 MB, and installs fairly quickly. It does not restart your Mac automatically, and I recommend users to restart as soon as they can after they have installed it. The shutdown before that restart takes some time, during which your Mac will show a black screen. Do not despair: this is just a little cleaning up which needs to be done to disable the root user ready for when you login after the restart.
Once your Mac is up and running again, check that the root user is now disabled. You can do that through the Users & Groups pane: authenticate as the admin user, click on Login Options at the lower left, and click on the Join button by Network Account Server in the lower section of the pane.
In the next dialog, click on the button to Open Directory Utility, then click on its padlock and authenticate again. In Directory Utility’s menus, you should now see the command to enable the root user. Don’t select that command, but its presence confirms that the root account has been disabled properly again, and your system returned to normal, without the vulnerability.
Checking the update
Apple has advised that you can check the update has been applied successfully by typing the following into Terminal’s command line:
This should return the version number opendirectoryd-483.1.5 for 10.13, or opendirectoryd-483.20.7 for 10.13.1.
This update can block file sharing. Details of how to address that are here.
- Are running 10.13 rather than 10.13.1, then
- Apply this security update, after which you
- Update to 10.13.1,
you will discover that the 10.13.1 update undoes the security update. What you must then do is install the security update for 10.13.1 and restart before macOS is properly patched again.
(Thanks to Miles Wolbe, @a_greenberg, and @bruienne for pointing this out.)