Apple has released macOS High Sierra Security Update 2017-001 to address the embarrassing security hole discovered yesterday. Funnily referred to as #IAmRoot on Twitter, the exploit allowed anyone to obtain the highest level of access to your Mac by using the built-in root account without a password. Most vulnerable to physical access, others on Twitter discovered it allowed for remote exploitation as well.
If you’re running a Mac with High Sierra, update immiediately via the App Store.
Apple released the following statement:
Security is a top priority for every Apple product, and regrettably we stumbled with this release of macOS.
When our security engineers became aware of the issue Tuesday afternoon, we immediately began working on an update that closes the security hole. This morning, as of 8 a.m., the update is available for download, and starting later today it will be automatically installed on all systems running the latest version (10.13.1) of macOS High Sierra.
We greatly regret this error and we apologize to all Mac users, both for releasing with this vulnerability and for the concern it has caused. Our customers deserve better. We are auditing our development processes to help prevent this from happening again.
This is an insanely-quick response from Apple, and that is fantastic. However, this never, ever should have happened to begin with. There’s no other word for it than ‘embarrassing’. An increasingly large amount of Apple’s value proposition is their stock as the privacy and security company. After a while, issues like these can begin to hurt their credibility.
I think it’s clear Apple really needs to institute a bug bounty program for Mac, like they have done for iOS. The Mac product line as a whole has been seen as neglected by pros over the past couple years, so huge missteps like this only add insult to injury. If Apple doesn’t want folks to think of Mac as the red-headed step-child, they need to start doing a much better job.