Apple rushes out patch for macOS root security hole

Apple has issued an urgent security update for a flaw that allows any user to log on as the root superuser to a macOS High Sierra computer without a password.

An attacker taking advantage of the vulnerability would be able to fully take over Mac computers.

The issue was made public this week. Apple has now rushed out a fix for its directory utility tool, which is shipped with macOS and first appeared in 2001, to address the security hole.

"A logic error existed in the validation of credentials. This was addressed with improved credential validation," Apple said in its advisory for the update.

Only macOS High Sierra 10.13.1 was affected by the bug, it said.

The directory utility is used to "add and configure advanced connections to directory servers, change search policies, and view user and group attributes". On macOS, it also provides the ability to enable and disable the root account.

Apple said the update will disable the root account on Macs. Users who require it will need to re-enable it.

However, in iTnews testing the root account remained enabled with a password after the update was applied.

The flaw is arguably the most serious security issue to strike macOS, given it is trivial to exploit both locally and remotely.

Apple said in a statement it would audit its software development processes.

“We greatly regret this error and we apologise to all Mac users,” the company said.

“Our customers deserve better. We are auditing our development processes to help prevent this from happening again.”

Security vendor Bugcrowd urged Mac users to apply the update as soon as possible.

Bugcrowd warned that testing for the vulnerability will enable the root account without a password on unpatched systems.

This creates a permanent security hole that could be exploited remotely via services such as screen sharing, it said.