On November 28th a software developer publicly reported a security vulnerability on Mac operating systems, High Sierra 10.13 or greater.  This vulnerability allows anyone to login to a Mac device and change administrative settings by typing in the username “root” with no password.

Systems at Risk

  • Currently, this vulnerability is only detected in users with a Mac operating system that has been upgraded to High Sierra 10.13 or greater;
  • Systems with local console access, such as shared usage computers in teaching or lab environments, where users of shared computers are not privileged with root access;
  • Systems with Apple Remote Desktop (ARD) enabled

Apple has released the following security update: 

https://support.apple.com/en-us/HT201222

Service Management is working to test and apply the patch.  No action is needed by end users for UIS Managed Systems.

Recommended Actions for students and personal machines

1. High Sierra 10.13 or greater users:  Visit Apple Support to install the security update: https://support.apple.com/en-us/HT201222

2. If you need assistance with the security update, please call the Help Desk at 202-687-4949 or visit the walk up Service Desk in the Bookstore.

More Information

https://www.macrumors.com/how-to/temporarily-fix-macos-high-sierra-root-bug/

https://www.theverge.com/2017/11/28/16711782/apple-macos-high-sierra-critical-password-security-flaw

http://www.pocket-lint.com/news/142980-macos-high-sierra-root-bug-allows-admin-access-without-a-password-who-is-affected-and-is-there-a-fix http://uk.businessinsider.com/macos-high-sierra-can-be-hacked-with-username-root-and-no-password-2017-11