Apple has confirmed reports of a significant ‘root bug’ affecting iMacs and MacBooks upgraded to the new version of macOS High Sierra.
The flaw, discovered by Turkish developer Lemin Ergin, allows somebody access to another’s machine without the need for a password by simply entering ‘root’ as a username and hitting enter in the systems admin settings. Doing so apparently grants powerful administrator rights including being able to delete files, change passwords and add/remove system accounts.
Apple is taking the issue seriously, offering the following statement:
“We are working on a software update to address this issue. In the meantime, setting a root password prevents unauthorized access to your Mac. To enable the Root User and set a password, please follow the instructions here: https://support.apple.com/en-us/HT204012.
“If a Root User is already enabled, to ensure a blank password is not set, please follow the instructions from the ‘Change the root password’ section.”
It is not known when a patch will be released by Apple for the flaw, but with the firm working on the bug one should be expected in the coming hours. In the meantime, it’s worth bearing in mind that the vulnerability cannot be exploited remotely, so anyone targeting Macs would need physical access to a machine which would also need to be fully open and unlocked for the hack to occur.
“It wasn’t that long ago that Apple was winning the desktop security space by a large margin, primarily through the advantage of obscurity versus its Windows competition,” said Lee Munson, security researcher for Comparitech.com. “Times have changed though and we can no longer say that Macs don’t get viruses and nor can we say that they are immune to potentially very serious bugs either.”
The latest of those bugs to emerge is about as serious as it gets, he added, as the ability to gain admin rights to any machine via a few key presses poses tremendous risk to those devices, the information contained on them and the networks they connect to.
“Of course, this is all mitigated by the fact that remote access can only be gained if the bug is first leveraged through physical access to the device, so home users have very little to worry about and businesses should also be okay, as long as they are on top of access control and visitor policies.
“Even so, all Mac owners would be well advised to install the resultant patch, just as soon as it becomes available.”