[Update: Enough has changed since we initially wrote this article that we’ve now published a replacement that provides current information. Read it at “Apple Pushes Updates to Block the Root Vulnerability Bug” (30 November 2017). -Adam]
As I predicted in “High Sierra Bug Provides Full Root Access” (28 November 2017), Apple quickly released Security Update 2017-001 to address the root vulnerability bug that enabled anyone to gain admin access without a password. I’ve installed it and confirmed that it works as advertised.
Everyone running macOS 10.13.1 High Sierra should install this security update via Software Update immediately. It does not require a restart. I know that we usually recommend caution when it comes to installing updates, but this vulnerability is so severe that the fix is more important than any trouble it could conceivably cause. That said, make sure you have a backup!
Starting later today, Apple will automatically push this security update to all Macs running High Sierra 10.13.1. If, for some reason, you haven’t updated from 10.13.0 to 10.13.1, we recommend doing that too. 10.13.0 suffers from the bug as well, but the security update is only for 10.13.1.
If you need a standalone installer for Security Update 2017-001 for some reason, Apple has now made such a download available.
Although the community identified the primary attack vectors yesterday, it’s possible that there are others that are not blocked by changing the root password or disabling remote access. We have to assume that black hat hackers are already probing every possible area where this bug could provide access. That’s why it’s entirely reasonable for Apple to push the security update to all systems.
In a statement to John Gruber of Daring Fireball, Apple said:
Security is a top priority for every Apple product, and regrettably we stumbled with this release of macOS.
When our security engineers became aware of the issue Tuesday afternoon, we immediately began working on an update that closes the security hole. This morning, as of 8:00 a.m., the update is available for download, and starting later today it will be automatically installed on all systems running the latest version (10.13.1) of macOS High Sierra.
We greatly regret this error and we apologize to all Mac users, both for releasing with this vulnerability and for the concern it has caused. Our customers deserve better. We are auditing our development processes to help prevent this from happening again.
Apple notes that after installation, the build number of macOS will be 17B1002. To verify that number, choose > About This Mac and click the Version 10.13.1 line.
If you have a legitimate use for the root user account on your Mac, you’ll need to reenable it and change its password in Directory Utility after installing the update. Hardly anyone should have to do this.
Apple deserves credit for releasing this security update in less than 24 hours after the bug was publicized on Twitter. That quick reaction time is reassuring, even though I’m sure many developers, testers, and deployment teams at Apple had a truly awful day yesterday.
But the fact that Apple could introduce a security hole the size of a truck into High Sierra is appalling. Ensuring that unauthorized users can’t act as the root user in a Unix system is basic security, because anyone who can become root can do anything they want. That the vulnerability escaped notice in Apple’s security testing is almost worse than the vulnerability itself.
And yes, if you’ve been waiting to upgrade to High Sierra, pat yourself on the back. 10.12 Sierra and earlier versions of OS X don’t suffer from this bug.