Apple’s generally strong history of good security practices makes the recently disclosed “root security bug” surprising indeed. If you have a Mac and you haven’t heard about this bug, haven’t patched lately, and are running MacOS High Sierra 10.13, you will want to perk up and read on.
As vulnerabilities go, this is bad. Really bad. This is especially true if you have any data on your Mac that you might consider confidential. Here’s one example of how it works: When attempting to change system settings you are prompted to enter your password to confirm the change. On a vulnerable system, you need only type “root” in the user name field and leave the password blank and you will be authenticated. (Root is the system administrator account on Linux, the OS on which MacOS is built – the use of root on Macs is rarely needed.) Using root/blank password in this way also works in several other scenarios, including for remote desktop access if you have it enabled.
About 18 hours after the bug was disclosed (irresponsibly, I might add, on Twitter – but that is another rant) Apple issued a patch. BUT – and here’s the “wtf, Apple” moment – if you were running High Sierra 10.13, applied the patch, and subsequently updated High Sierra to 10.13.1, the patch broke, the bug was back, and you were vulnerable again. The patch needed to be applied AGAIN and the system rebooted for the patch to take effect. Oh, and the patch didn’t tell you that you had to reboot.
So much pooch-screwing. Man.
So if you have a Mac and you have auto-updates turned on (you probably should) then you are most likely already patched up to 10.13.1 along with the security patch (Security Update 2017-001). You can verify this by doing the following.
From the Apple menu in the corner of your screen, choose About This Mac. The version of your operating system appears beneath “macOS” or “OS X” in the window that opens.
You can also attempt to reproduce the bug as described above. It might take a few clicks with root/blank password – but if you are unable to authenticate after several tries, then you’re all good.
I am an advocate for engaging auto-updates whenever possible, including auto-updating third party applications like Adobe Reader, Java, etc. There’s almost no downside to doing this if you are an average home user.
Here’s how to turn on auto-updates on a Mac running Sierra. The process should be very similar for all recent versions of MacOS.
Choose Apple menu > System Preferences, then click App Store.
Select “Automatically check for updates.”
To have your Mac download updates without asking, select “Download newly available updates in the background.”
To have your Mac install app updates automatically, select “Install app updates.”
To have your Mac install macOS updates automatically, select “Install macOS updates.”
To have your Mac install system files and security updates automatically, select “Install system data files and security updates.”
