Apple has released an emergency patch to resolve the major security vulnerability in macOS 10.13 High Sierra which allows anybody to log in, locally or remotely, using the username 'root' and a blank password - but in doing so has broken the operating system's file sharing functionality.
Apple's macOS High Sierra, released in September, brought a wealth of new features but also introduced a serious bug: Entering the username 'root', assigned to the administrative-level account which is disabled by default, and a blank password allows anyone to log in and take full control over the system - right through to disabling disk encryption and retrieving passwords from the keychain. Publicised by security researcher Lemi Orhan Ergin on Twitter, evidence suggests the flaw - which is not present in macOS 10.12 Sierra and earlier - had been noted by users up to two weeks earlier, but was for some reason not considered a security issue at the time.
Following Ergin's publication of the vulnerability Apple developed an emergency out-of-band security patch which it released late yesterday as Security Update 2017-001. Fixing what the company described as a 'logic error in the validation of credentials' the patch closes the hole but in doing so breaks the operating system's file sharing functionality - a glitch which would point to the patch being rushed out without proper testing.
Those affected by the flaw in the patch are still advised to install it in order to close the more serious security hole, after which the following instructions will restore file sharing functionality.
September 18 2020 | 18:30