Flaw in macOS High Sierra gives anyone root access, and here's the fix

On Tuesday, a software engineer discovered a major macOS High Sierra security flaw: Anyone can log into an admin account by typing the username “root,” with no password–leaving all up-to-date Macs open to attack.

The root admin login works on both locked and unlocked Macs, researchers found. ZDNet, AppleInsider, and many others have confirmed that the vulnerability is functional and extremely easy to take advantage of.

All versions of High Sierra contain the flaw, including version Beta 5 that was released on Tuesday, AppleInsider noted.

Apple is working on a software update to fix the issue, a spokesperson said. In the meantime, users should set up a root password, which prevents unauthorized access to a Mac.

SEE: Information security incident reporting policy (Tech Pro Research)

Here’s how to enable or disable the root users, according to Apple Support:

Choose Apple menu > System Preferences, then click Users & Groups (or Accounts).
Click lock icon, then enter an administrator name and password.
Click Login Options.
Click Join (or Edit).
Click Open Directory Utility.
Click lock icon in the Directory Utility window, then enter an administrator name and password.
From the menu bar in Directory Utility: Choose Edit > Enable Root User, then enter the password that you want to use for the root user. Or choose Edit > Disable Root User.

If a root user is already enabled, you should follow these instructions to change the root password and ensure a blank password is not set, according to Apple:

Choose Apple menu > System Preferences, then click Users & Groups (or Accounts).
Click lock icon, then enter an administrator name and password.
Click Login Options.
Click Join (or Edit).
Click Open Directory Utility.
Click lock icon in the Directory Utility window, then enter an administrator name and password.
From the menu bar in Directory Utility, choose Edit > Change Root Password…
Enter a root password when prompted.

This is not the first security issue identified on Macs this year. In September, an iOS security flaw called LeakyX caused Exchange credentials to be transmitted without encryption–even if SSL was enabled. That month, a former NSA hacker found that in macOS High Sierra, a flaw allowed people to steal the entire contents of the Keychain with an unsigned app. And many Macs may include firmware vulnerabilities and are susceptible to attacks, according to a report from Duo Security.

For more data security and privacy tips for iOS, click here.

TechRepublic Premium editorial calendar: IT policies, checklists, toolkits and research for download

TechRepublic Premium content helps you solve your toughest IT issues and jump-start your career or next project.

Payroll

The Best Human Resources Payroll Software of 2023

With a lot of choices in the market, we have highlighted the top six HR and payroll software options for 2023.

A computer running Windows 11. — Image: Microsoft.

Software

Windows 11 update brings Bing Chat into the taskbar

Microsoft's latest Windows 11 allows enterprises to control some of these new features, which also include Notepad, iPhone and Android news.

A software engineer works from home. — Image: tanatat/Adobe Stock

CXO

Tech jobs: No rush back to the office for software developers as salaries reach $180,000

Salaries for remote roles in software development were higher than location-bound jobs in 2022, Hired finds.

Project management process to manage and develop with resources to deliver quality product, agile development cycle, businessman project manager balance on clock juggling project management elements. — Image: Nuthawut/Adobe Stock

Software

The 10 best agile project management software for 2023

With so many agile project management software tools available, it can be overwhelming to find the best fit for you. We've compiled a list of 10 tools you can use to take advantage of agile within your organization.

A user typing a password. — Image: Song_about_summer/Adobe Stock

Security

1Password is looking to a password-free future. Here’s why

With phishing-based credentials theft on the rise, 1Password CPO Steve Won explains why the endgame is to 'eliminate’ passwords entirely.

PURPOSE This policy describes the organization’s employee privacy guidelines and outlines employee privacy expectations. From the policy: POLICY DETAILS The organization’s IT equipment, services and systems are intended for business use only. However, the organization acknowledges that staff, consultants and volunteers occasionally require opportunities to make or receive personal phone calls, access personal email, utilize ...

PURPOSE The purpose of this Security Response Policy from TechRepublic Premium is to outline the security incident response processes which must be followed. This policy will assist to identify and resolve information security incidents quickly and effectively, thus minimizing their business impact and reducing the risk of similar incidents recurring. It includes requirements for both ...

PURPOSE This policy from TechRepublic Premium provides guidelines for reliable and secure backups of end user data. It outlines the responsibilities of IT departments and employees to identify tasks and action items for each group. The policy can be customized to fit the needs of your organization. From the policy: IT STAFF RESPONSIBILITIES IT staff ...

Flaw in macOS High Sierra gives anyone root access, and here’s the fix